Re: [TLS] handling of duplication of extensions between ServerHello and EncryptedExtensions

David Benjamin <> Fri, 02 September 2016 19:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E1B412D1CA for <>; Fri, 2 Sep 2016 12:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.247
X-Spam-Status: No, score=-3.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FNRZk1pfJdhd for <>; Fri, 2 Sep 2016 12:21:21 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 78FA612B029 for <>; Fri, 2 Sep 2016 12:21:21 -0700 (PDT)
Received: by with SMTP id i184so55295201itf.1 for <>; Fri, 02 Sep 2016 12:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=xSAeakH5PDxuObAwWRUBc3PkOw24HaGCfEUcEnngHaE=; b=i3nYlUVlqHt266AqMVnLT64EY4P/X8HZge3FV9bLcYi3wtFmBmA9cLEoIK2Tv8/6i+ U5d6KzatVD7ggrd+R60aqve4sdbbsx7UdtsId5JLr3dwK8b0EFlad+UKnSdPsPa1plNE 54yPHRwzIqxCEkvcJrRtxFfWI1vh1FYlMt8LM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=xSAeakH5PDxuObAwWRUBc3PkOw24HaGCfEUcEnngHaE=; b=aFrBUF1O89Y+AEIlQkaDbrh4TRvyiI7o9LMJWBkKVbLyh+iiJufjRRT+SqiBxQxt2q g3qpoDilQ7JqNRRR51oLIYXIyLCHjlqYaVAn2086hS3PlcQxoBC/ITQT+XldYYXEXBII w2t9iDLz2R4n0KnS18UaT7BQSfYXKpB3/McFV5CRkhXaRQhs7oGM4rk2iqOlCKpb9q5X 3EE87TsxyQnYqiGxMBRz6g4/cBGScCrzs1MoFNdY6QtNEnR+DIRLhrvmK48IsNVJQurm ZKfuyYAAw4obeTi/NWX9unwFqEQnsxX5x32qmJcEmoyloONP+wugBMvBooLkvZI48TS1 MrtQ==
X-Gm-Message-State: AE9vXwPty2qoU19YFBzWcOlcPCPlJMEIH/GB0ha4afNbCw3xSNJ1asvSfdZWYifiufQTxmzmvWMfmNiDiR01aLg8
X-Received: by with SMTP id w128mr7360345itf.92.1472844080740; Fri, 02 Sep 2016 12:21:20 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: David Benjamin <>
Date: Fri, 02 Sep 2016 19:21:10 +0000
Message-ID: <>
To: Hubert Kario <>, "" <>
Content-Type: multipart/alternative; boundary="94eb2c0579783e6d65053b8b3cd1"
Archived-At: <>
Subject: Re: [TLS] handling of duplication of extensions between ServerHello and EncryptedExtensions
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Sep 2016 19:21:23 -0000

Huh. I agree that text is weird. We should probably remove it. I think we
actually get something akin to what you suggest basically implicitly:

Servers aren't allowed to send unsolicited extensions, so your SH and EE
parsers should be rejecting any unknown extensions. If you combine that
with not accepting known extensions in the wrong context (unencrypted ALPN
or encrypted key_share) since extensions already specify which messages
they may live in, this all works out.

So even if we explicitly say this rule, I don't think reflecting it in code
is the cleanest implementation strategy. (It requires one keep a list of SH
extensions and compare against it.) It might be better to say that
extensions in unexpected contexts should be rejected like any other
unexpected extension.


On Fri, Sep 2, 2016 at 1:31 PM Hubert Kario <> wrote:

> So, the draft has following text:
>     The same extension types MUST NOT appear in both the ServerHello and
>     EncryptedExtensions.  If the same extension appears in both locations,
>     the client MUST rely only on the value in the EncryptedExtensions
>     block.
> if the extension "MUST NOT" be in both ServerHello and EncryptedExtensions,
> why the client should continue with the handshake if a server makes such a
> major mistake? Why aborting the connection in such situation isn't safer?
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web:
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech
> Republic_______________________________________________
> TLS mailing list