[TLS] Re: Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
John Mattsson <john.mattsson@ericsson.com> Mon, 10 March 2025 22:08 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 119EB9BF6FE for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 15:08:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.537
X-Spam-Level:
X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxxwnzwQIkp8 for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 15:08:15 -0700 (PDT)
Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11012017.outbound.protection.outlook.com [52.101.66.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D9B929BF6F1 for <tls@ietf.org>; Mon, 10 Mar 2025 15:08:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VqcgLfBTE8x9O59t4emDvT1p/jr8WeCuetJ4TvK4O4/tSZ9jo9n4QuqKE2+c3dyS+INg+T8D1dyIqq1zr6nfwpYUMNHSulAwXp2rX7nlxjEBjhNQs9xmbpVrjN2eEcYt5e2uu9eR2nA0EjPcjCPer6elSLJ0+L1/TIihTJ69GAIpfBh88ocbMQqwmWiOonrJFnZKdc4UTi4BLFYodkmbWSULAYSK8uXk2aTZdxQD/s4zqkI2pDbqNik6ovSBnZPj6kz0777ceTgPYDENridJ0hxeaxof1mKKKnTZVDe21ut/HHUTHMDyKd0olw0GFO4Gl/5gm6iE05J1d3ve1WwFJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WSrTOVgTor2osBMeP7X8oo+C0P8SMncZzIsnwdSjXnw=; b=MRf9eCpyDjvpYt9bzfYygCBhebCHMh8mHZHFurKhbeBMf5lYnnBoPiNslQtbQZ3BK8CwzT+wpS+6nAtbY8sII5xYMN5kbNihMqoqUN1tCdyvjKQJFLzaPj9NVjaTmAbKF7uoNn6/Phayzu71julRq19bO8RyzqS3ShrP/zEWuA3ZReYThzQg3NxnPkU/HTAE2wfWLaqmIu7Erot8rxSUTpYGQs+MrvlPyN02rnAFj0wV2mOPVbWOic5Xj1p/JOASSWLYedZUi4EBbnPY08wipM4xAafl9Q+XRWaNCv3Ce/HVSYgoxYIrBYSGAZWq9lZdrTuwjiCfwfouAgfbIaDV9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WSrTOVgTor2osBMeP7X8oo+C0P8SMncZzIsnwdSjXnw=; b=myabgOiNJ1x0z5kkhy4vK8715Qr95fUEZ61g9lwZlPG27Ddkf7fQixzh5ai18rOhUjEw5snhaVcX+gp972spzsX9daH2ldD0BTmjylQdsNNncpavtaLaj9xwSXPGQqvCAao7qj1a4XIKpBBniY081mrtdF/5dB8xldFKZVCb238InG2GsAbwG4uRBSNY4QptX+Ii8Jt2zzCCutY7Wx6oE4GkAdpnXc95bPh45zng9Lj3d5qxYgyYw/hLMiJdJ9Fq0aGr6xKPnpVzq1qqJ04XgEMTqk4bPHZ8WyckIUZsBl4KxgdQ9KWurgcsXMtw99Y8FNuog2Y+RzVAIih7ezD4sw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PR3PR07MB6491.eurprd07.prod.outlook.com (2603:10a6:102:67::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.27; Mon, 10 Mar 2025 22:08:12 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%7]) with mapi id 15.20.8511.026; Mon, 10 Mar 2025 22:08:12 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
Thread-Index: AQHbkfnbLUNmCUa1ykm6mPeDNtlzJLNs68UQ
Date: Mon, 10 Mar 2025 22:08:12 +0000
Message-ID: <GVXPR07MB967892EA5A866B81E4AA786089D62@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAF8qwaAqfFMeGFLFaG8Lz=2HtGP5BMBXGX=irFP3vFRQOBFZ5Q@mail.gmail.com>
In-Reply-To: <CAF8qwaAqfFMeGFLFaG8Lz=2HtGP5BMBXGX=irFP3vFRQOBFZ5Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PR3PR07MB6491:EE_
x-ms-office365-filtering-correlation-id: 54254c3e-f7e2-41f7-4dd1-08dd60200caf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|8096899003|13003099007|7053199007|38070700018;
x-microsoft-antispam-message-info: LhmuciVPwPwJ8SVWhzv94HhAhnc4N7GFFmFapdINd+/6agIytOx3JkdrPzyZfDB71g2ZTVfFxRzMkgo7zSk92XG+j06eAQLj9TaUSWrYYKzg3EU01HyFE+x1UqDimO/eP2OsDCX9uqhXeq8r7dfRWRgFNxVaSA3xNVIQ0zcBdUO2s4GC1Q0wuCyfO3Wo0lFKeXUphk/8EGSi7+WO0VpfgIs7jyEv5oMxKRuOpMzCNyzt7ODhrm97ews0jsTSDxTBs2/t6Kcwo9SmlUhUhPj7u9vPOb1w9mVcsawa/ouahDQh0zOJUYnhX0+CvvPLnZWqONAWICXlvPUIUMk1GJkYo47Dp30AvYG9h4K96qbCVH3ZJUJbLEjtyfRHvoJxqhrUqvBceZA9st5FDXhAlS8riydjkBtxCOdLi3HjBmzLVks9N41HL7BKQIyoeuQBXo9Wk1AnyHSIqkNchisaZCk/KmDS1y/zJPsgrBcD15S91B56/e+zcMYdxxoMfheXWq8vN6YNTdP/nMBu8/UjWIogZfpIhhaYlCqe0+4Qq9xv4lHtBS2+cW7tOpfYel97oq3UXJwJM6okOYv93gaYvU/EisG1VSGuqI4DgEKX6CZzj27f+YjFWpTw0id7zywxyDGeCm6peL4z73RZ1nNNwh2Ks7YnlpPydv8K855o7sSmCjTOulvfHXM4CQJyTQsNUQ1ED0dw+PU+lo7bE/Xo5T9agNwUBADocOzifPvJiG6Vnlvo/zFcdsqCqFQh68l9DPsiTxmB43ovpuy7vQxSraB0/7jNu+jkKDnHiFWpvqBXjUPUAb3Evtlv3RMSbPWPzs0enOYseL+OhxfMkMV1XQEXy9lUqQ7V4E/t5xH2N9OioZau+Ha6DoJU5I+9cly1KcAeICzlIz3CUa13g2YPk62ZP2COyydtWZyv028+QV3J+k44zoDyCEZFXJ7jfECVL/M/hEBM15lcVg2nBmeaNegciebSMnD9GQAtk1cmrlfSMftK9Gb105pYmInJNBVoB21lp3pgSy6UsciQO2bDnNrFnT4K3gpc3HToMvDKBAX20SoRH1flAhjqvv/Sf+ZNjS4ccjnmXKB2qz0+x4KPAMkN580h6AmXM062zX/FPK/PPsNgifGJlwxE7VEhesNmsZPN23QDfCnHGxRWAe5L/78bZM4pZ1fDtNIUhVBi4lBhRcLUDvzMKdJrXt4u81jMRThevfH3MjiGkLPophVFO2+WoazlW8gNom7z42MdS8kdrlUqhqpUq68h6SwX9aWFVlcvRwyzHlT0I6vztK96DSJvGYRV6h0K6p0b1PZdJoKa1ddJCryTj5n9NFyZZrSCoA+xJGcK96GLwJQ9F3egqe6Se1jR+XLRhy9dgEU6MrfOTVTibFQq7+0YeQ8ih1l6GdH1Z5xZ71HN5X1+Gv5ey3cxJQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(8096899003)(13003099007)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wuTFp/JWOTvmpW+LxGFbmoVGSEHnsTYJCucF5UlARG8UhqF9RSZuHdp11gm1i567LAl84PPl1WxNWy72sp7Cw2jHFfzw0rwcwN9L+8qDamaMdTTACeDkx0JnS2Mcgqalnh48DjwaMxa9UWxQ6mseh5Co/KWD0TBBY3OXFtwmzWF9dn5NDh3cETAJXJqjd1gae5c0YbiyBwtYrRSEf7gdGDZYatkbLJT0zN6YPHnr6XraRd4XLVyTyyoZQMbFvd3QGMNvMmyTCF31xAIuQ68C6F9COwas0H+cyJe6vzFPeZg8YXV++1Ph6tBAv9Cqq0LnSPE6hMgrEJWjQbOcycEZbMPjbMA2dSmYMgX6lOcA0X+/zo5+Pc9oqgwKpou84EGOpaPWetgt1+Na/ADN+qLnK8S1U5/BNaLk++z90FheVak6MRdt+zrHGL+NL97RCB8kVtCtWlZ7SnKDDQ29kx2pBE9hHyjBFZeHCMy53SVqM39+UrorXUXnxfwrQMT2Kh00i5iLinKx7/YNWZyJM7pV1zlN5+Y97DaoXJyYJ9SQS5wTda3tVdzXPhdxPbWNwUtTB5kPlyu9Z0lnAKMbzu0b2dZ+Zytkv1OV79EWqN9BAxGXt0MK9nP4SQ0Vxoq9XNCGDZzSbdXohcDOiBYJtAimqoCsYblLE8DPAdZUfW77dyPm7E4qsw/vBHPQ+TtIbmNQWMQk44ryM3Di/uGbzUnzpe5dP1FdvU2PmkT+XCRIby44rCzXS712PB318FRv8j4YD/fTIj2Y1wurJ8jQgGMHrQrvgeVnGuu6yXLAa0pYiWCkWS3wNDMLbPRENRqEYSyhcE+Q1Ho7QE9LsUdNHmCWNSg1ATqzeleJczSiZk+OQ1mGMFwvjZRreZ0gs+yjDURrWT8SqzH9JCQTTkyHUp+pRl+ikxwX7AwW1IRHvYR0JqUOUWc1VZBZywyzotvxCvFpkyBxWdETQ44rg987LTnwoPitZ+Mjd0fQkNb3kUyNdu6PtIc5SFE6Msff8jFaxCsV8oCW4n/puJBjNJpsSxZ+pu2IKjArZBbfreCR6N/NQp3rA6A1hDZSfCPEeic/4ua2WTkFTBoGEF6znkdVVr8eaMDvXhJx2oFOu6/BjBcxmSR5aGjk8VN+/C3q08dU4OfEBSNilt91yWT1NvyifPGRCaMNW7rvBy8WNjCiFQtqit49JudO9ABQTudk5Nln14yXrkz7XwU09/hJUVeaXkkvGW045zJUckxWz8sDOuXZ7VjP9Si+FWHgJQY9s+47DUktSHhDhelon5qBX/mD8+Ea/rLDNsUfqUVQRFeUTXBmmA1AEDhO3hKqS/bftrLpZ2fvgkaoeVOfrswwkbuf2oENS72joo/+O8u4vzeA1wDs2exo4GSpoKbXLx88YJdrs2G+/LArMAj7VASAKhkX9UvDcBlYJt+eqAvj98PI3rddN7FOXco70JY/xFaHHIa8gDalFVbSzbwjlKU6GCafJFZGCsbjmM5eLtQOArBQWUwZ3npyGNCp/DvYwZOv5B/8ZBrqKKqRSRCdDQOKOy2arFz0M4tyY1zXlP9qWzcteH9SO/50+877P5F7epe3Uyh78STE2Vs1lhWk4In+a+mIXlWm1x1qsnW0OM6dgCD7pEdAKOk=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967892EA5A866B81E4AA786089D62GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 54254c3e-f7e2-41f7-4dd1-08dd60200caf
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2025 22:08:12.4321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DmFP8OniQYBhZoXcpEIgDvEg+tJadD0HKmjxacWFZ991xJFjDF6sTE8w2LlxuX7cTxayGebc3TFmLqvQ56Wdo+JCTQvOlXvdUsMMrPsUgvQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6491
Message-ID-Hash: GCFNDA4VN5NS5ZSB57Y7AHWQQ4HMXX7V
X-Message-ID-Hash: GCFNDA4VN5NS5ZSB57Y7AHWQQ4HMXX7V
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jFbC-k2KXIHjC9jM8Vt_E15o-R0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi David, I remember that the same problem was discussed when standardizing EAP-TLS 1.3. The following text is in RFC 9190: “Note that the key derivation MUST use the length values given above. While in TLS 1.2 and earlier it was possible to truncate the output by requesting less data from the TLS-Exporter function, this practice is not possible with TLS 1.3. If an implementation intends to use only a part of the output of the TLS-Exporter function, then it MUST ask for the full output and then only use the desired part. Failure to do so will result in incorrect values being calculated for the above keying material.” I agree that it would be good if 8446bis discussed the problem. Cheers, John From: David Benjamin <davidben@chromium.org> Date: Monday, 10 March 2025 at 21:20 To: <tls@ietf.org> Subject: [TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3 Hi all, I recently spent some time debugging an interop issue between WebRTC + DTLS 1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the issue was a minor but interesting incompatibility between (D)TLS 1.2 and (D)TLS 1.3 that doesn't seem to have been flagged in RFC 8446 anywhere. Nothing actionable for this group, apart from maybe a last minute sentence to add to 8446bis (way too late to change how exporters work), but I thought I would pass it along for general awareness. WebRTC uses DTLS-SRTP, which uses export keying material to generate some specified number of bytes of data: https://www.rfc-editor.org/rfc/rfc5764.html#section-4.2 It turns out Firefox exported the maximum key+salt length and then only used a prefix of the output, rather than exporting the length as specified in RFC 5764. Back in 1.2, this was just fine and gave the right output. The requested length didn't figure into the derivation. But 1.3 incorporates the requested length into the derivation, so now this computes the wrong value. This means, starting with 1.3, applications must be sure to pass in exactly the length specified by the protocol they're implementing. Applications that relied on this 1.2 property will silently do the wrong thing when upgrading to 1.3. David
- [TLS] Exporter compatibility pitfall between (D)T… David Benjamin
- [TLS] Re: Exporter compatibility pitfall between … John Mattsson
- [TLS] Re: Exporter compatibility pitfall between … Martin Thomson