Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

Michael D'Errico <> Wed, 30 September 2020 18:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2D19B3A0A86 for <>; Wed, 30 Sep 2020 11:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key); domainkeys=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CsSm0ueVlTqj for <>; Wed, 30 Sep 2020 11:08:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6E8343A0A85 for <>; Wed, 30 Sep 2020 11:08:58 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id BC68E9029B for <>; Wed, 30 Sep 2020 14:08:55 -0400 (EDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=aaaw9C7PKWet WvuoAixT0TWE+4A=; b=f2LZbM3pRKptT4QV6aCZM3pJ3ybI8oj5eEXOzePSfoP2 e+//o5RskYn9P6+hojQuHkAB94n6WJ04rbpcBIHC7i1vQwFI1YhETfZsCXOfzl7a iN3i1uZlQbItC0NDAiKALky1nJRJ1CbIYeVWe+polxn0YTwFDyPf/1fnqeqxfEY=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=oW3BUW agGxns+OmMfjFOxVMid5SiK2gnKJYz/lY3NILA3tuT2zCu8MnTf7HZfBB4TW0lYp d/IUA1nCpi3fjeAkEswUVyYxFlYMhrOYqfruffl5+HBGyuuwYxDzmNewR2GP7AFt vqbVTeS/o2iwuDg0yp7sionAVF799yJ+gzSl4=
Received: from (unknown []) by (Postfix) with ESMTP id B42919029A for <>; Wed, 30 Sep 2020 14:08:55 -0400 (EDT) (envelope-from
Received: from MacBookPro.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 4501A90299 for <>; Wed, 30 Sep 2020 14:08:55 -0400 (EDT) (envelope-from
References: <> <> <> <> <> <> <> <> <> <> <> <03ba01d6974e$ffaefe30$ff0cfa90$>
From: Michael D'Errico <>
Message-ID: <>
Date: Wed, 30 Sep 2020 14:08:52 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <03ba01d6974e$ffaefe30$ff0cfa90$>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
X-Pobox-Relay-ID: 00F08A10-0348-11EB-B483-2F5D23BA3BAF-38729857!
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Sep 2020 18:09:00 -0000

> DTLS 1.3 can be found here:

Thank you.

> The HRR is used in DTLS 1.3 for DDoS prevention.

This makes sense since DTLS is over UDP, but TLS
is over TCP, so it's already undergone the SYN/ACK
handshake to establish there's an actual peer with
a reachable address.

I'm thinking that the majority of the time, connections
are going to be legitimate, so optimize for that case.
Keep the first ClientHello in memory, send a simple
unpredictable cookie (maybe 128 bits ?) and just check
that it gets echoed.  Then do all the validation of the
second ClientHello against the first one that you have
to do anyway.

Monitor the activity occurring and if the server decides
it's being attacked in some way, maybe then switch to
stateless HRR (if this makes sense) or do whatever other
countermeasures are appropriate.