Re: [TLS] TLS 1.3 draft 22 middlebox interaction

Hanno Böck <hanno@hboeck.de> Sat, 02 December 2017 14:55 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581BB127076 for <tls@ietfa.amsl.com>; Sat, 2 Dec 2017 06:55:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VceF112__bU for <tls@ietfa.amsl.com>; Sat, 2 Dec 2017 06:55:29 -0800 (PST)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B7B71200F3 for <tls@ietf.org>; Sat, 2 Dec 2017 06:55:28 -0800 (PST)
Received: from pc1 (dslb-088-070-244-147.088.070.pools.vodafone-ip.de [::ffff:88.70.244.147]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Sat, 02 Dec 2017 15:56:01 +0100 id 000000000000002E.000000005A22BF02.000023CD
Date: Sat, 2 Dec 2017 15:55:25 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20171202155525.56580484@pc1>
In-Reply-To: <DB4A1029-DBE2-44D1-97F5-DFFF13BAB52A@nerd.ninja>
References: <DB4A1029-DBE2-44D1-97F5-DFFF13BAB52A@nerd.ninja>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w-Vmz0RsXXUYQikZoUpD9R741ec>
Subject: Re: [TLS] TLS 1.3 draft 22 middlebox interaction
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2017 14:55:32 -0000

On Fri, 01 Dec 2017 09:47:45 -0500
R du Toit <r@nerd.ninja> wrote:

> The middlebox in question supports TLS 1.3, but only drafts 18
> through 21.  The FF Nightly ClientHello supported_versions extension
> advertises support for TLS 1.2 and TLS 1.3 (draft 22),

Sorry, can you please name names here? In what universe does this make
any sense?

The middlebox shouldn't look at specific TLS versions. And it certainly
shouldn't look at specific TLS 1.3 drafts. It should just leave the
traffic alone.
Doing anything of the form "we'll accept traffic of TLS version X, but
not of any version unknown to us" is certain to cause breakage in the
future. Whoever built this is harming the Internet, full stop.

I really don't understand why there is such intransparency over this
issue. Why can't we at least make clear who are the companies
responsible for this nonsense?

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42