IETF Logo Mail Archive

[TLS] Re: ECH Proxy Mode

涛叔 <hi@taoshu.in> Wed, 11 September 2024 09:45 UTC

Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0A9C151062 for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 02:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=taoshu.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgaTb6qg1Mwu for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 02:45:44 -0700 (PDT)
Received: from mx1.lehu.in (mx1.lehu.in [IPv6:2603:c024:c00c:9e00:1::]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30D2DC14F6A1 for <tls@ietf.org>; Wed, 11 Sep 2024 02:45:44 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; bh=FtQt6IwDGDS0DDl8iz1ZuIh+ckrFskGeoaXGjlnSawM=; c=relaxed/relaxed; d=taoshu.in; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@taoshu.in; s=default; t=1726047939; v=1; x=1726479939; b=aFFEIOy2x7fjv6tdnFhWVi/ZzL8ioCqMaATj+H5YyQzcLUokwM76zTgK/zCCuhczkjHbS9Us ZZ0AXjeruULHQTYl8G7EDWG4cuLPThjt80b69mlpurpAvTnZvTiPEujdwam9jmL0jhGUNhZLjRd SgmAzgPIAtHk+uoWtJfcrieugWfRXvFmcEHCikpEDRElg4UWj4+gbMafkpzXZkvs9Z7SCHeOHDi DtfEbrw3dSo54iHSrzqmIzz+uhlbEsxv68loqkYJatdvwCy3MCpSc8snkh2Cy1QKfDNFCJH9jiQ tUkw++olabqv2NU82fdY2S9xfjLBbQCa8/VEuvE2gd6aw==
Received: by mx1.lehu.in (envelope-sender <hi@taoshu.in>) with ESMTPS id 409c9acd; Wed, 11 Sep 2024 09:45:39 +0000
From: 涛叔 <hi@taoshu.in>
Message-Id: <CEAB4C16-F88F-4EDB-A6FC-450F578B45FE@taoshu.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BC6547C8-EE65-4904-B9B6-20A62A260B6E"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\))
Date: Wed, 11 Sep 2024 17:45:27 +0800
In-Reply-To: <82811726047107@mail.yandex.com>
To: A A <tom25519@yandex.com>
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in> <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in> <ME0P282MB55870395CC2C672C7A607C01A3992@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <7E16914E-3F97-4DB3-8AFD-40898A4DABD0@taoshu.in> <ME0P282MB55871BDDF016659F149743E8A39B2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <CDD4A0D6-188E-4CC6-B976-F5B4C384C56E@taoshu.in> <82811726047107@mail.yandex.com>
X-Mailer: Apple Mail (2.3818.100.11.1.3)
Message-ID-Hash: 6472QIAVOAPJ7LKNA5FKRXOG53AQWUAX
X-Message-ID-Hash: 6472QIAVOAPJ7LKNA5FKRXOG53AQWUAX
X-MailFrom: hi@taoshu.in
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tMZr05JQhtffZLCvbVjd8rqVEdY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

According to https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.3

A client which receives a legacy_session_id_echo field that does not match what
it sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert.

So we can't use the legacy_session_id_echo of SH.

> On Sep 11, 2024, at 17:35, A A <tom25519@yandex.com> wrote:
> 
> I don't think need to use random, we can use Session ID, which is deprecated since TLS 1.3. Random is used to derive master key, AFAIK.
>

v2.35.0 | Report a Bug | By Email | System Status