[TLS] Interaction between cookies and middlebox compat mode

Matt Caswell <matt@openssl.org> Wed, 27 December 2017 19:17 UTC

Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8E0AC12D7F0 for <tls@ietfa.amsl.com>; Wed, 27 Dec 2017 11:17:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rhfrSOXD1XFf for <tls@ietfa.amsl.com>; Wed, 27 Dec 2017 11:17:23 -0800 (PST)
Received: from mta.openssl.org (mta.openssl.org [IPv6:2001:608:c00:180::1:e6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 854691200FC for <tls@ietf.org>; Wed, 27 Dec 2017 11:17:23 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id 290C3E6F46 for <tls@ietf.org>; Wed, 27 Dec 2017 19:17:21 +0000 (UTC)
From: Matt Caswell <matt@openssl.org>
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <9a7b1178-f856-ec63-c4b7-e2b29993e133@openssl.org>
Date: Wed, 27 Dec 2017 19:17:20 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/j6utQ8zXsSVZljV5KoMxEynIhBA>
Subject: [TLS] Interaction between cookies and middlebox compat mode
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Dec 2017 19:17:25 -0000

Consider the scenario where a server is operating statelessly (i.e.
using the cookie extension) and a client is operating in middlebox
compat mode.

In that case the client sends an initial ClientHello and receives a
ServerHello(HRR) back with a cookie in it. Before it sends its second
ClientHello it first sends a dummy CCS.

>From the server perspective it is operating statelessly so until it gets
a ClientHello with a valid cookie in it, any message it receives is
considered the "first" one. Therefore, because the server has forgotten
about the initial interaction with the client, the first message it sees
is a CCS.

Draft-22 says this:

  "An implementation may receive an unencrypted record of type
   change_cipher_spec consisting of the single byte value 0x01 at any
   time during the handshake and MUST simply drop it without further

Does "any time during the handshake" include the very first message it
receives? If so then this has implications for servers that accept
connections from TLSv1.2 (and below) clients (regardless of whether the
server is stateless or not), i.e. an incoming connection that starts
with a CCS and then goes on to negotiate TLSv1.2 would be accepted which
seems odd.

If it doesn't mean that then a stateless server will receive a CCS as
the first message and not know how to handle it.

Maybe there are different rules for handling CCS for stateless servers?
Or perhaps middlebox compat mode should never be used in a scenario
where a stateless server is being used (e.g. QUIC). Either way it seems
that some clarification of the wording would help.