Re: [TLS] ALPN with 0-RTT Data
Eric Rescorla <ekr@rtfm.com> Wed, 12 October 2016 20:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE1D129674 for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 13:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqntAddiYSj9 for <tls@ietfa.amsl.com>; Wed, 12 Oct 2016 13:03:59 -0700 (PDT)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBE85129573 for <tls@ietf.org>; Wed, 12 Oct 2016 13:03:58 -0700 (PDT)
Received: by mail-yb0-x230.google.com with SMTP id 191so23373503ybv.3 for <tls@ietf.org>; Wed, 12 Oct 2016 13:03:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=E5rZxBxvvzGzGtkpw35dPIAL4Fm+vflRy9cIbrTLO5g=; b=pWHH1eDpTBfzjApc5tlG4888ny+P+ZpKalXn6H/IBEZyYGykkfC341Uv+ESHqd376b WmcZh0n2I0koPrQiSKA4VKez+zZVgePTC1iUR8GZr4GdkUpc1kMj6UxYEDXRWQfMN1mZ OXrtQs1rCftqMaYiPPAIYNWFIKbjQbPjMyF00xCH9VlirqliZ5e9S+8o9HRdday8R0Es iYt4oVGL7N8rdEprF+7t0K6pBwW9X6PZKfczDBI0UOCiVWRyZc2Ij1dJ2+grzdMUuDfD wqTOb5CsHlCPIEvjEOAy8qKpAiKaJh3FQGevIM7qJgDUUhJT9wBgqt0s+R27kPA8bWnS 138w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=E5rZxBxvvzGzGtkpw35dPIAL4Fm+vflRy9cIbrTLO5g=; b=NWoa1LhSFAx0vGc9NHLxAo3iGJsDfZFAe/+CZkoHN0ZfKxQXArKPVvY5u5rmFaky6j qSHsUH8r8MSlHTVE10xg7sDJ/Ro69Rx/ICqXS2cf1Vpp9EE0x+7hEDfQ49/lI3VqJgtW SnkzfYYZJFtHw9oyTsneb8pbxxBs4i2UAGiOUHS89bi8P6lCWQLWd0JJLB/USQJ/b1FI 3F2Kgbx9qk6sMT3ztn9vr2UGvdoanO9WlRwVAesULuOHZly7d0SDh3uPlDA4pb4cv4Dw WSuQKDJnCJR0kYxxDiiJk0JFP5MRgnmT+cUrXumUM/NTBLLvrdu2n1L9jCI60cdOyXVc JflQ==
X-Gm-Message-State: AA6/9Rmn1oq3yQuLGyyUtbjIsyPRtcAaOkkih4WziLV+FWeQFH2QSy0cl6f6296llinij4VtT5E4ZOv7nC+8cw==
X-Received: by 10.37.85.136 with SMTP id j130mr2449608ybb.80.1476302638090; Wed, 12 Oct 2016 13:03:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.212 with HTTP; Wed, 12 Oct 2016 13:03:17 -0700 (PDT)
In-Reply-To: <CAF8qwaAj=Dzs+DBoTVkFTCLz07HhtgmGp7YjsmzZx6BBSU+Zmw@mail.gmail.com>
References: <MWHPR15MB118283AEF96DAD58FD3F6FF3AFDD0@MWHPR15MB1182.namprd15.prod.outlook.com> <CAF8qwaAj=Dzs+DBoTVkFTCLz07HhtgmGp7YjsmzZx6BBSU+Zmw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 12 Oct 2016 13:03:17 -0700
Message-ID: <CABcZeBPaMMv23W9sqggcnhQKEy9QAYPDpgUH-naji_fVTHZ=+g@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="001a113e8a4c533a04053eb07e42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qUC2G63lY8ZPkVate4NabuX9590>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ALPN with 0-RTT Data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 20:04:01 -0000
On Wed, Oct 12, 2016 at 1:01 PM, David Benjamin <davidben@chromium.org> wrote: > My interpretation was: > > 1. Client and server remember the previous selected ALPN protocol in the > session. > > 2. The client may offer whatever ALPN protocols it likes. It does not need > to match the previous offer list, though it presumably will unless you've > got a persistent session cache or so. > > 3. The client assumes that session's ALPN protocol was selected for > purposes of minting 0-RTT data. > > 4. The server must decline 0-RTT if it choses a different ALPN protocol. > This can be implemented by just doing ALPN negotiation as normal and > declining 0-RTT if the result does not match. (If client and server prefs > have not changed, 0-RTT will work. If prefs have changed, 0-RTT will miss > but future sessions will start being 0-RTT-able. I think this is probably > the sanest behavior.) > > 5. The client performs the usual checks on the selected ALPN protocol > (must be one of the advertised ones). In addition, it enforces that, if > 0-RTT was accepted, the protocol must match the session one. > This matches the behavior I intended in the spec (and the one NSS implements). -Ekr Pinning on the most preferred one causes awkward transitions when the most > preferred ALPN protocol is not the same as the most commonly deployed one. > If we ever define, say, h3, we want that one in front of h2 presumably, but > we wouldn't want to lose 0-RTT against all the h2 servers out there. > > I don't think we should be reorder preferences based on the sessions we > are offering. That makes it much harder to reason about the behavior of > preference lists. > > David > > > On Wed, Oct 12, 2016 at 3:49 PM Kyle Nekritz <knekritz@fb.com> wrote: > > Currently the draft specifies that the ALPN must be "the same" as in the > connection that established the PSK used with 0-RTT, and that the server > must check that the selected ALPN matches what was previously used. I find > this unclear if > > 1) the client should select and offer one (and only one) application > protocol > > 2) the client can offer multiple protocols, but use the most preferred one > offered for 0-RTT data > > 3) the client must send the exact same ALPN extension as in the previous > connection, but must use the ALPN previously selected by the server (even > if it was not the client's first offer). > > > > To clarify this we can instead > > * allow the client to offer whatever ALPN extension it wants > > * define that the 0-RTT data uses the client's most preferred application > protocol offer (and the server must pick this ALPN if it accepts 0-RTT), > similar to using the first PSK offer if multiple are offered > > * recommend that the client uses the same application protocol that was > used on the previous connection. > > > > PR: https://github.com/tlswg/tls13-spec/pull/681 > > > > Kyle > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] ALPN with 0-RTT Data Kyle Nekritz
- Re: [TLS] ALPN with 0-RTT Data David Benjamin
- Re: [TLS] ALPN with 0-RTT Data Eric Rescorla
- Re: [TLS] ALPN with 0-RTT Data Kyle Nekritz
- Re: [TLS] ALPN with 0-RTT Data David Benjamin