[TLS] ECH Proxy Mode
涛叔 <hi@taoshu.in> Tue, 03 September 2024 14:52 UTC
Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F436C18DBA0 for <tls@ietfa.amsl.com>; Tue, 3 Sep 2024 07:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=taoshu.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBPr-d7NEbmA for <tls@ietfa.amsl.com>; Tue, 3 Sep 2024 07:52:26 -0700 (PDT)
Received: from mx1.lehu.in (mx1.lehu.in [IPv6:2603:c024:c00c:9e00:1::]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28992C14F6FD for <tls@ietf.org>; Tue, 3 Sep 2024 07:52:26 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; bh=lCnRjN25b2p/JOCQe7kPt1iPQApiiyjHNriwCTCjcZ4=; c=relaxed/relaxed; d=taoshu.in; h=Subject:Subject:Sender:To:To:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:Message-Id:Message-Id:References:Autocrypt:Openpgp; i=@taoshu.in; s=default; t=1725375145; v=1; x=1725807145; b=EAHhX831RzzMrE60OshyemXq8r7xXcmKzmJJGODcSX8AVI1+EhsQ1CCpdre2rlTeNkdEywdy F4LZ0bEhJbqVxB4NJJnWHCUogVi5pJM4fC+qWNxKAR9JPtJ7E0d03aMkjyvRHzX5Jre8f+z1hCj 8FTxaKqqigQdpldSV93cc6Rq3OdL+hN/8wkRFcV5sdWZ62G7Wch3ep72r/iAxENRBAQ8Z66rz1a ulJ9rOvRMAgKHsUfcpvLcU3aNSnBrqgPA6xkOSGaHjHzI1TvlA5BX0nFua3Y400cqdE2ZJoe3Zt rOYd7Urw0S1Zn2XBNfeDaN4NhSVICd05YwcUuXXTbFd3A==
Received: by mx1.lehu.in (envelope-sender <hi@taoshu.in>) with ESMTPS id cd68bb74; Tue, 03 Sep 2024 14:52:25 +0000
From: 涛叔 <hi@taoshu.in>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\))
Message-Id: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in>
Date: Tue, 03 Sep 2024 22:52:13 +0800
To: tls@ietf.org
X-Mailer: Apple Mail (2.3818.100.11.1.3)
Message-ID-Hash: 4EJ45BMNBY7CFHRBMV2NJMGL6J5N6X4L
X-Message-ID-Hash: 4EJ45BMNBY7CFHRBMV2NJMGL6J5N6X4L
X-MailFrom: hi@taoshu.in
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tk87eQR56gF3tFzObuv6DG0e_9M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi, In the split mode of the current draft of ECH, both the client-facing server and the backend server are needed to be ECH-aware. As upon the client-facing server decrypted the ClientHelloOut, it will forward the ClientHelloInner to the backend server, and waiting the backend's ServerHello with random embed with the accept_confirmation. If you want to deploy ECH, you have to upgrade both the client-facing server and the backend server. However, it is not an easy task to upgrade all the backend server in one day. So I am wondering if it is possible to adjust the design to allow the deployment without altering the backend server. Suppose we use the following topology: browser <-----> ECH-aware Client-facing server <------> normal TLS backend server For any TLS backend server, for example, https://example.com, We only upgrade the browser and the client-facing server. The browser fetch the ECH config from DNS, and encrypt the ClientHello according the current draft design. The client-facing decrypt the ClientHelloInner and use it as the normal ClientHello to do the TLS handshake to the normal TLS backend server without any ECH extension. Upon the normal TLS backend server receive the decrypted ClientHello, it response the normal ServerHello to the client-facing server. After receiving the ServerHello from the backend server, the client-facing server need to response the accept_confirmation to the browser. This is the design changes I propose to change. Because the current draft requires the backed server generate the accept_confirmation bytes and embed it into the random of ServerHello, which can not be changed by the client-facing server. In order to support ECH for normal existing TLS server, we may let the client-facing response the accept_confirmation on behalf of the backend server, which means we can not use the random field of ServerHello to store the accept_confirmation, because changing it will abort the TLS handshake. So is it possible to transfer the accept_confirmation in some plain text extensions like Key Share, or other dedicated extension? If it is possible, we can deploy ECH by only upgrading the browser and client-facing server without require change all the existing backend server. This idea was derived from my attempt to implement encrypted TLS SNI Proxy. The SNI does not only expose privacy information, many ISP use it to block certain web site. Even though the current draft of ECH works to protect the ClientHello, it can only protect the sites that deployed the ECH. If we can adjust the current design and let the client-facing generate and response the accept_confirmation signal, we can make ECH everywhere without upgrading any of current TLS backend server. Which means the client-facing can work as an encrypted TLS SNI Proxy. Please consider my proposal and give your comments Thanks.
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode Christopher Patton
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A
- [TLS] Re: ECH Proxy Mode Naomi Kirby
- [TLS] ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A