Re: [TLS] TLS 1.3 Problem?

Michael D'Errico <> Wed, 30 September 2020 00:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 644F93A1455 for <>; Tue, 29 Sep 2020 17:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key); domainkeys=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AR3Kz0yCIX48 for <>; Tue, 29 Sep 2020 17:30:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7384C3A144A for <>; Tue, 29 Sep 2020 17:30:31 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 5F5118909E for <>; Tue, 29 Sep 2020 20:30:31 -0400 (EDT) (envelope-from
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=HR3KnAstW37+ mKpQHVcwTx6rWEM=; b=xNYDMenNLw6LS2Z32NmC+TLrGaboYrWkfR1tg2NqnXqs b3Si/rkaGJuydsvXCkYVrwpvTUeA0uVKKRG4fU10pcAgTqeflUm0uqJS3Vd6EuxQ 1pmC6ntW1HzDqywJasKWVP6d7NwOGLN/edSkKTBfEFruuwjgebfXGBOrFbpqm8c=
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=haSKxQ EjF/wLPUcEGcwn2PItIZNQBYbpMtaUfk+ZrXU9aquxKLqduzuw12pfaXm4fHS+Ji pq/A1gducskhmcn9U7j5CRoXANftyOogST3cQaL455cruZHmIVw6ogY2mnaghiZx 0MigRsESx8iOediAt3PBni0q6FMEI7RXDqHfM=
Received: from (unknown []) by (Postfix) with ESMTP id 587AC8909C for <>; Tue, 29 Sep 2020 20:30:31 -0400 (EDT) (envelope-from
Received: from MacBookPro.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 636C489099 for <>; Tue, 29 Sep 2020 20:30:30 -0400 (EDT) (envelope-from
References: <> <> <> <> <> <> <>
From: Michael D'Errico <>
Message-ID: <>
Date: Tue, 29 Sep 2020 20:30:27 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
X-Pobox-Relay-ID: 2514CFB2-02B4-11EB-A924-2F5D23BA3BAF-38729857!
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] TLS 1.3 Problem?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Sep 2020 00:30:33 -0000

On 9/29/20 19:51, Martin Thomson wrote:
> It's symmetric crypto[1]. Hardly worth noting.
> [1] Mostly.  NSS wraps the symmetric key with an asymmetric key so that server clusters can share session ticket encryption keys without needing interconnects.  But encryption or decryption only happens once per instance.

Well, you also need a MAC, right? (encrypt-then-mac)
This requires another key and a bunch of computation.

Then you have to decode the cookie back into the server
state, and then check whether the new ClientHello (CH)
matches the original from the cookie, with possible
changes, making sure that the key_share supplied in
the new CH was in the original CH, checking that the
list of PSK's was not tampered with in invalid ways, etc.
Much of this is required of any handshake involving HRR
even if not stateless.

Seems worth noting.  Have you measured?

And how do you prevent someone from sending an old
cookie back?  If the server is truly stateless....

Did you (or a client) actually have a data center full of
memory-bound servers which are now handling many
more connections using the stateless HRR feature?

I'm not trying to be unkind, I genuinely don't understand
how stateless HRR can be beneficial.