Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18

[Eric Rescorla <ekr@rtfm.com>]

On Sat, Oct 29, 2016 at 3:00 AM, Martin Rex <mrex@sap.com> wrote:

> Joseph Salowey wrote:
> >
> > This is a working group last call announcement for
> draft-ietf-tls-tls13-18,
> > to run through November 20. If possible, we would like to receive
> comments
> > on the list by November 13 so they can be discussed at the meeting in
> > Seoul. We hope to address any substantive issues raised during that
> process
> > shortly thereafter.
> >
> > In order to allow for cryptographic review, we will delay submission of
> the
> > draft to the IESG until the end of January 2017; there will be an
> > opportunity to address any issues discovered by the cryptographic
> community
> > prior to submission to the IESG.
>
>
> There are two seriously backwards-incompatible changes in the
> current proposal that provide zero value, but completely break
> backwards-compatibility with existing middleware infrastructure.
>
>
> (1) hiding of the TLS record content types.
>     Please leave the TLS record types (handshake/AppData/Alert/CCS)
>     clearly visible on the outside of the TLS records, so that
>     middleware protocol parsers (which interface to transport-free
>     TLS protocol stacks) can continue to work, and continue to
>     work efficiently.


I'll let the chairs determine how to handle this.



> (2) hiding of the TLS extension SNI.
>     Right now it is perferctly fine to implement TLS extensions SNI
>     on the server completely outside the TLS protocol stack to route
>     to single-cert SNI-unaware backends.  The current proposal
>     suggest to move TLS extension SNI into the encrypted part, if
>     my superficial reading of the draft is correct, so TLSv1.3
>     will not fly with existing architectures where spreading of
>     TLS requests on the server-side based on TLS extension SNI
>     is done outside of the TLS protocol stack (i.e. bottleneck-less
>     without having to open TLS).


This isn't quite right. In RFC 6066, the client sends its server_name
extension in ClientHello and the server responds with an empty
server_name in its ServerHello to indicate that it accepted SNI.

   A server that receives a client hello containing the "server_name"
   extension MAY use the information contained in the extension to guide
   its selection of an appropriate certificate to return to the client,
   and/or other aspects of security policy.  In this event, the server
   SHALL include an extension of type "server_name" in the (extended)
   server hello.  The "extension_data" field of this extension SHALL be
   empty.

In TLS 1.3, the client's extension remains where it is, but the server's
extension is in EncryptedExtensions. This shouldn't interfere with
configurations such as the one you describe, as the server already
needed to insert the SNI field itself and hash it into Finished.

-Ekr


>