Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

Michael D'Errico <> Sat, 03 October 2020 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 80B873A08A6 for <>; Sat, 3 Oct 2020 14:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key); domainkeys=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RsM7iY7N-IDb for <>; Sat, 3 Oct 2020 14:04:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E70F73A0858 for <>; Sat, 3 Oct 2020 14:04:36 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 47C0CF4331; Sat, 3 Oct 2020 17:04:34 -0400 (EDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=subject:to:cc :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=1JKRz56YHRK+ HZf9ZXz5G1J194k=; b=QKrYSnz7fWHNbcDL38Rl7fSwoy/m2d4SqPRTVsSeQwIc Qr7tZVpAxN5po10q8yN9yu84usI9MnI69yIaBQgTgjhXQeUADr15iVGcsS91XdP4 dVuNJzMnC9/VQcsrmqpAzdrA+N+7z39gCYZkcQx+Of/Hd+CjyVzyTDbGkTs8r4I=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:to:cc :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=ZOu2LT dqvdVoaDAuy/2B3RLLe4HwDPDgdDBlpYBN8+0keRao3eGNl2HiGor1Mq842ISTbD HJ+6AxzAeagL0NWPNyBMmAPSgf7Tb5QXP+/foQCpEA6KhOdDYasvotUshVneW2WL QlB5yITnJ+kLcQMOHlbHKm3ibmGMNmi6Uu8O0=
Received: from (unknown []) by (Postfix) with ESMTP id 40239F4330; Sat, 3 Oct 2020 17:04:34 -0400 (EDT) (envelope-from
Received: from MacBookPro.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 624B0F432F; Sat, 3 Oct 2020 17:04:31 -0400 (EDT) (envelope-from
To: Nick Lamb <>
References: <> <> <> <> <> <> <> <> <> <03ba01d6974e$ffaefe30$ff0cfa90$> <> <> <> <> <> <> <> <>
From: Michael D'Errico <>
Message-ID: <>
Date: Sat, 3 Oct 2020 17:04:28 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
X-Pobox-Relay-ID: 084AAE5A-05BC-11EB-ABD2-F0EA2EB3C613-38729857!
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 03 Oct 2020 21:04:39 -0000

On 10/3/20 16:12, Nick Lamb wrote:
>>>> You can't possibly implement [stateless HelloRetryRequest] the
>>>> way the spec suggests with just a hash in a HRR cookie extension.
> Lots of people have and it works just fine, so it seems to me that "You
> can't possibly" here means something closer to "I still don't
> understand how to" and as such would be more appropriate to some sort
> of programming Q&A site like Stack Overflow than an IETF working group.

StackOverflow has only one result if you search for HelloRetryRequest
and it is about jdk.disabledAlgorithms.

When you say it "works just fine" I think you are saying that the
handshake will complete.  But is it secure?  This is the important
parts of "works" and I'm not sure it's possible to do it correctly
without a lot of work, and am certain that a hash is not enough
information even if it's integrity-protected.

> The client MUST use the same value for legacy_session_id in its retried
> ClientHello. As a result this value will be available alongside the
> cookie.
> Section 4.4.2 is clear that a hash used this way in the cookie should be
> "protected with some suitable integrity protection algorithm". For
> example some implementations use an HMAC construction, but you could do
> other things here successfully. So in fact this is not especially
> optimistic.

All the integrity protection bytes tell you is that the server did in fact
generate the cookie at some point in the past.  You don't even know
how old the cookie is if it just contains a hash, unless you are
frequently changing the key (and keeping the previous key around for
a bit to cover the case that the key rollover happened within the life-
time of an old cookie).  A client could possibly exploit this by making
many connections and sending a second ClientHello on each one with
the same legacy_session_id_echo and cookie.  A stateless server might
not be keeping track of whether a cookie is being reused, and why
would it if it's actually stateless?  If it's going to go through the 
of keeping track of previously-used cookies, possibly across several
distributed machines, why not just be not-stateless and avoid all of
the hassle?

And, yes, it is optimistic to trust a client to do the right thing. It's 
dangerous.  I used the word optimistic to downplay the significance.

Rebuilding the beginning of the transcript hash based solely on what
the client sends in its second ClientHello message is fraught with peril.