[TLS] Re: Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
Martin Thomson <mt@lowentropy.net> Tue, 11 March 2025 01:40 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0ADE49C6BD4 for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 18:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="qlpR0DN0"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="0ZKLVfMz"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ef_WMvjYfjV9 for <tls@mail2.ietf.org>; Mon, 10 Mar 2025 18:40:21 -0700 (PDT)
Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6C0959C6BCF for <tls@ietf.org>; Mon, 10 Mar 2025 18:40:21 -0700 (PDT)
Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfhigh.stl.internal (Postfix) with ESMTP id 23CD925401EA for <tls@ietf.org>; Mon, 10 Mar 2025 21:40:21 -0400 (EDT)
Received: from phl-imap-01 ([10.202.2.91]) by phl-compute-07.internal (MEProxy); Mon, 10 Mar 2025 21:40:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1741657220; x=1741743620; bh=b99/WpCPxZIEPFiBlRFAoup9Jt+QDtqTG43LNmKufpw=; b= qlpR0DN0kR16LUGBzm1FGFdLFrBLg0OHheKW7drUYTqM4vCOq6YTOz4K4hSlal7K R901h957X9nBt6nMYOy1UHz4cturAWppyddEX/A9rnWJ/qVaPd7O1k8dbouWcpu8 wmm7j2NpZyJ79Kme5Tbn1/d4rU9eJHCDpL2gp0Q0cNEkRanDu/gOI3EwLlxkXh2B DCjsQlsMzzk7EN1aUCWDPZ29oSm9bromrrlGJvoNoshUppd7wZFeesnKhXvVZzc+ UtxXj/LXJ0O0rwym/hnRybqT/wvkggPVyO/DfbtCaNZan/H6RlQzeELXeThe++2T qxbMJAjv1uBJ6cP9JJEcWA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1741657220; x=1741743620; bh=b 99/WpCPxZIEPFiBlRFAoup9Jt+QDtqTG43LNmKufpw=; b=0ZKLVfMzZVsysfBcI Odw18wnUo9WgEZhw6bhrT3eIfLOGauYKITVryhCp3VVX5qpZH0MDR+9QH/21TcWp CkfXjbjqbP0PVrY42/CIvwRhZ2Suu/kx9uP3DunDP+Pc3S8dWl1vf/3waZ2wux7C og6Gvd4e4HT+Rw7Lu8hrsks0wLVCTjJ9m+S/KGBereWXqNsECtjyiS57Bh49ibml tKPibdAyHQK9+8thmXnL3ALK7dkdATIZlzu3PdYxG2Q8jW6Bx9HtfS/8Zvz4ZOHa hxqn/tpSJiK68jaLwM8JLnXMT9jBDvHuHxgnowUIrERNAE5FRbv3CTNSeF/Hklie EPNaA==
X-ME-Sender: <xms:hJTPZ7EnetvKzqJjggxjQ_bh9UEEKAZ-fqknpC-qMVg1xMgNGOza7g> <xme:hJTPZ4UIzo-94GZ9K9bIwrAvoS64gN8aH3r6aqI4nhp6HLDD7MSTF45rO6mRhj7wq mMFeUx8qXpCoM8dNYU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduvddtleefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedfofgrrhhtihhnucfvhhho mhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrh hnpeegudelvedtheelffekgeeuhfevjeduledvvdelgefhjeeutdevffelteduiedutden ucffohhmrghinheprhhftgdqvgguihhtohhrrdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgv thdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepth hlshesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:hJTPZ9J2XX4hjBUi39afMlq6HnKFGvblYDnb-jpgLzkz4pPxAgWvAg> <xmx:hJTPZ5GvB7HyQlMq4qIC6aqElf3P-D47rMJdeUjY1LO2rmpOifQCvQ> <xmx:hJTPZxXL8RsupbkQZJPpIrTQhE8akV0KBlV0FhRgDiNtQqxOCeZHgg> <xmx:hJTPZ0PyqhBHlxBPOX-h9dyL6Dsy-C9aGd7JMRakDbXLVHb3Ml9J4Q> <xmx:hJTPZyfcfxm0hJ_H65FeNlwVHdosSpmyzmHyn5N3joezvQ-9L1RjUyYF>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id AE067336007E; Mon, 10 Mar 2025 21:40:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: T37d810647a2cfa64
Date: Tue, 11 Mar 2025 12:40:00 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Message-Id: <210483c0-7b85-4e94-908d-fd89a42b1605@betaapp.fastmail.com>
In-Reply-To: <CAF8qwaAqfFMeGFLFaG8Lz=2HtGP5BMBXGX=irFP3vFRQOBFZ5Q@mail.gmail.com>
References: <CAF8qwaAqfFMeGFLFaG8Lz=2HtGP5BMBXGX=irFP3vFRQOBFZ5Q@mail.gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HBEYHGGJ6AMEWU4GJDRDG2L2TSZEYUKI
X-Message-ID-Hash: HBEYHGGJ6AMEWU4GJDRDG2L2TSZEYUKI
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Exporter compatibility pitfall between (D)TLS 1.2 and 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sK-XebGS36oM3VsmJBPV7HvT8EA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I'd support the addition of a small note. That bug might have been my fault, even. On Tue, Mar 11, 2025, at 07:18, David Benjamin wrote: > Hi all, > > I recently spent some time debugging an interop issue between WebRTC + > DTLS 1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the > issue was a minor but interesting incompatibility between (D)TLS 1.2 > and (D)TLS 1.3 that doesn't seem to have been flagged in RFC 8446 > anywhere. Nothing actionable for this group, apart from maybe a last > minute sentence to add to 8446bis (way too late to change how exporters > work), but I thought I would pass it along for general awareness. > > WebRTC uses DTLS-SRTP, which uses export keying material to generate > some specified number of bytes of data: > https://www.rfc-editor.org/rfc/rfc5764.html#section-4.2 > > It turns out Firefox exported the maximum key+salt length and then only > used a prefix of the output, rather than exporting the length as > specified in RFC 5764. Back in 1.2, this was just fine and gave the > right output. The requested length didn't figure into the derivation. > But 1.3 incorporates the requested length into the derivation, so now > this computes the wrong value. > > This means, starting with 1.3, applications must be sure to pass in > exactly the length specified by the protocol they're implementing. > Applications that relied on this 1.2 property will silently do the > wrong thing when upgrading to 1.3. > > David > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] Exporter compatibility pitfall between (D)T… David Benjamin
- [TLS] Re: Exporter compatibility pitfall between … John Mattsson
- [TLS] Re: Exporter compatibility pitfall between … Martin Thomson