Re: [TLS] Securely disabling ECH
Nick Harper <ietf@nharper.org> Thu, 20 October 2022 04:41 UTC
Return-Path: <nharper@nharper.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA34C1522BC for <tls@ietfa.amsl.com>; Wed, 19 Oct 2022 21:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLIkckp9tdKN for <tls@ietfa.amsl.com>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58E1DC1522BA for <TLS@ietf.org>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
Received: by mail-ed1-f42.google.com with SMTP id m15so28116484edb.13 for <TLS@ietf.org>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GyU382IzLn6Pq1kr5L+ZUqcD6Gj1yM9eqrbe9/6y6Vw=; b=37i3VoufBtA9LnpAeGO0MPP+g9BnrTjIJ2gOssu8si10PGgmDljGASllbkewERHbPM vZ14aYunN3qLTCDAkrgySUlQvJh1JiB6Dn0zEmRAJXijjLbVgPUjgNBaOKQ7237FrwzB VlzrHjUqgorkFt76v6ItqHdUcSt/cvsliquyQac97fWd6hBmdERsBP/aJ2xVsNi1HN6G tB2sf1/nu7WZfuK6XIyuyFvC2EY8B9AziRA4t5yKpo3c0f6m+Hpt62n+HjxNBgV7eYbT mbqbCr10IZ3YgUgUZEE0N+QBsdBIX4JvDkXihPN7gVJREx+F312+uH/MoJ5Q36uPjVG8 XrLQ==
X-Gm-Message-State: ACrzQf19vDxiPCPNcsBN7zOtIJgyYQ7pX0DtNiWJnBqUiRLkESEzG+Bn HOCYiuHy9FRZ0eiRbTijAxlrvwuZVZ8oLbmo88ZfkyTQNV5Ws9zL
X-Google-Smtp-Source: AMsMyM4hzG4TaH+WJgeixIjVuxB0aBU6k0wflP8pDXoPMqkpJ93112sA2EZc3u0wzKVCr9G1dL3p6r/dUjTjEITgVsA=
X-Received: by 2002:a05:6402:4302:b0:45d:c9b4:c007 with SMTP id m2-20020a056402430200b0045dc9b4c007mr10430629edc.328.1666240906927; Wed, 19 Oct 2022 21:41:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMyZFC0n47v8L+buYSME_vGxAMJJZuuVJeox6QPk1nMBw@mail.gmail.com> <BA942CF0-6D8A-4118-84A4-675384C4C197@gmail.com> <CACcvr==ioD3DMCa3wu7tkTHtA6+_JrPerT7vqYDZw_zxT3X2Yw@mail.gmail.com> <CAKAaAL1oejJpHTOieD+bFX9Wi1ky=Yvgby2Hbzaty9zOBwKcmg@mail.gmail.com>
In-Reply-To: <CAKAaAL1oejJpHTOieD+bFX9Wi1ky=Yvgby2Hbzaty9zOBwKcmg@mail.gmail.com>
From: Nick Harper <ietf@nharper.org>
Date: Wed, 19 Oct 2022 21:41:35 -0700
Message-ID: <CACcvr==tjt-FBf2G+nkiMbSxW_wMnywesuQjCVJB69Bx4vJq1g@mail.gmail.com>
To: Safe Browsing <safebrowsingnow@gmail.com>
Cc: TLS@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005e37c605eb6ff153"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zK9jYScfAMgNqwzEZcQNKDf4VDc>
Subject: Re: [TLS] Securely disabling ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 04:41:53 -0000
It sounds like your confusion is stemming from section 6.1.6. Upon re-reading it, I see some room for clarity there. Section 6.1.6 says what to do if "retry_configs" contains a value with a client-supported version (retry with with one of those configs), and what to do if "none of the values provided in "retry_configs" contains a supported version, or an earlier TLS version was negotiated" (retry without ECH). My implied reading of section 6.1.6 is that if there is no "retry_configs", then the latter also applies (retry without ECH). That could be made more explicit. I disagree that any particular retry behavior should be mandated. Clients that want wide interoperability will implement retry without ECH whether or not the spec says it's a MUST, and likewise clients that will only connect if ECH is used will choose to not implement the fallback regardless of what the spec says. On Wed, Oct 19, 2022 at 8:36 PM Safe Browsing <safebrowsingnow@gmail.com> wrote: > Hi Nick, > > Thanks for your input. > > Yes, what I am suggesting is instead of having: "Depending on whether X, > this may Y or Z". > Rather state: "If X, then MUST Y, else MUST Z" > > So, instead of this text in Section 8.2: > > "Depending on whether the client is configured to accept the proxy's > certificate as authoritative for the public name, this may trigger the > retry logic described in Section 6.1.6 > <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech> > or result in a connection failure. ..." > > Have something like this: > > "*If* the client is configured to accept the proxy's certificate as > authoritative for the public name, the retry logic described in Section > 6.1.6 > <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech> > *MUST* be exercised. Else, a connection failure *MUST* result. ..." > > Note that the second 'MUST' (the one in the 'else' case) is not new. It is > already stated in the first paragraph in Section 6.1.6 as required behavior. > > Also note that the retry in this case would not involve the > "retry_configs" method mentioned in Section 6.1.6. Instead, it would be > retrying the handshake with a new transport connection and ECH disabled. > This, ECH disabled retry, is mentioned in Section 6.1.6, but only in the > context of "retry_configs" containing non-supported versions, or if an > earlier TLS version was negotiated. > > Thus, as I also stated in one of my earlier emails, Section 6.1.6 is not > very clear about the retry mechanism to be followed in the case discussed > here. > > A suggestion for changing the text of one of the paragraphs of Section > 6.1.6, to be more clear/explicit, would be to change: > > "If none of the values provided in "retry_configs" contains a supported > version, or an earlier TLS version was negotiated, the client can regard > ECH as securely disabled by the server, and it SHOULD retry the handshake > with a new transport connection and ECH disabled." > > To: > > "If none of the values provided in "retry_configs" contains a supported > version, or an earlier TLS version was negotiated, *or an **"encrypted_client_hello" > extension was not supplied by the server,* the client can regard ECH as > securely disabled by the server, and it *MUST* retry the handshake with a > new transport connection and ECH disabled." > > This type of retry would be required only once, and a precondition for > this "securely disabled" state is already stated in one of the earlier > paragraphs in the same section. Namely, that the server/certificate must be > authoritative for the public name. > > Again the 'MUST' in this suggested text. Note that it does not pertain to > the "retry_configs", as stated already. But rather to the case where ECH > has been disabled securely, in which case it would be good if the > specification can provide the way a stack must operate in such a situation > which the specification prescribes. I believe having a MUST here, and in > the previous instance mentioned at the top of this email, will make stacks > that wish to comply with the specification much more likely to to implement > this retry mechanism, resulting in a more robust ECH deployment and > operating environment. > > To the comment about Section 8.1. Yes, that section has this text that is > relevant here: > > "If the server does not understand the "encrypted_client_hello" extension > at all, it will ignore it as required by Section 4.1.2 > <https://rfc-editor.org/rfc/rfc8446#section-4.1.2> of [RFC8446 > <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#RFC8446>]. > Provided the server can present a certificate valid for the public name, > the client can safely retry with updated settings, as described in Section > 6.1.6 > <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech> > ." > > So it simply refers back to Section 6.1.6 again, which then gets back to > my earlier statement about Section 6.1.6 not being as clear as it can be > about this situation. I.e. the situation were a retry is with ECH disabled, > due to the lack of an ECH extension from the server, as opposed to the > "retry_config" retry method with ECH still enabled - they are of course > very different retry mechanisms. > > > On Wed, Oct 19, 2022 at 1:44 AM Nick Harper <ietf@nharper.org> wrote: > >> >> >> On Tue, Oct 18, 2022 at 8:56 PM Safe Browsing <safebrowsingnow@gmail.com> >> wrote: >> >>> The draft does consider this by allowing ECH to be disabled - as >>> discussed in this thread. Albeit at the cost of an extra round trip. >>> However, the connection retry logic in the presence of ECH disabling is >>> currently optional. >>> >>> The draft states, in Section 8.2: >>> “ this may trigger the retry logic” >>> >>> It seems this text must change to: >>> “ this MUST trigger the retry logic” >>> >> >> This language change would not make sense. The context for "this may >> trigger the retry logic" in section 8.2 offers two options. The sentence >> structure is "Depending on whether X, this may Y or Z", i.e. if X is >> resolved one way, then the client does Y, otherwise it does Z. Changing the >> "may" to "MUST" would result in stating "this MUST trigger the retry logic >> described in Section 6.1.6 or result in a connection failure", which >> doesn't really make sense, and wouldn't have the goal you'd like, since a >> connection failure instead of retry logic would satisfy the MUST. >> >> If your server is authoritative for the public name, then the behavior >> you care about is described in section 8.1. >> >> I suspect most implementations of ECH will implement the retry logic, as >> the misconfigurations and deployment concerns described in section 8.1 are >> an inevitability, and implementing the retry logic avoids connection >> failures that would occur without it. I doubt that adding a MUST would make >> someone more likely to implement the retry logic. >> >>> >>> In order to ensure functional connections in a TLS client agnostic >>> manner, in the presence of protocol level ECH disabling. >>> >>> I would appreciate your thoughts/input. >>> >>> On Oct 8, 2022, at 7:41 PM, Eric Rescorla <ekr@rtfm.com> wrote: >>> >>> >>> If you are able to install a new trust anchor, then you should be able >>> to use the enterprise configuration mechanisms in browsers to disable ECH. >>> >>> -Ekr >>> >>> >>> On Fri, Oct 7, 2022 at 8:40 PM Safe Browsing <safebrowsingnow@gmail.com> >>> wrote: >>> >>>> Hi Rich, >>>> >>>> When I say “authoritative”, I mean it in the true TLS sense, in the way >>>> that I believe the ECH draft also suggests and requires. >>>> >>>> In other words, the middlebox serves a cert to the client that is >>>> cryptographically valid for the said public name of the client facing >>>> server. >>>> >>>> How can that be when the client facing server guards its private key >>>> properly? By re-signing the server certificate on the middlebox with a >>>> private key, local to the middle box only, for which the corresponding >>>> certificate has been installed in the trust store of the client, before >>>> sending it on to the client. Only after the original server >>>> certificate has been validated properly on the middlebox, of course. Message >>>> digests being managed accordingly/appropriately. >>>> >>>> That is a very typical setup for most (all?) TLS inspection devices >>>> (next gen firewalls and such). >>>> >>>> Thus this part of ECH, requiring the middlebox to be authoritative for >>>> the server, is well understood and prolifically exercised in inspected TLS >>>> sessions today. What is new is that these connections can now fail/close, >>>> in the “securely disabling ECH” case, and the onus is on the TLS client, >>>> not the application, to retry the connection without ECH. >>>> >>>> I am after such a client, if one exists already. >>>> >>>> Thank you. >>>> >>>> Sent from my phone >>>> >>>> On Oct 7, 2022, at 11:41 AM, Salz, Rich <rsalz@akamai.com> wrote: >>>> >>>> >>>> >>>> >>>> >>>> - Client <-> *Middlebox* <-> Client-facing server <-> Backend server >>>> >>>> >>>> >>>> - With "Middlebox" really meaning a middlebox like a firewall or >>>> similar. >>>> >>>> >>>> >>>> The middlebox is not allowed to modify traffic between the client and >>>> the server. Doing so would mean that the packets the client sent are not >>>> the ones that the server received, and the two message digests would >>>> disagree. (If you think about things, it **has** to be this way, >>>> otherwise TLS would not be able to provide integrity guarantees.) >>>> >>>> >>>> >>>> - From the draft, ECH seems to be designed to still allow >>>> successful TLS connection establishment if the encrypted_client_hello >>>> extension is dropped from the ClientHello on a conforming middlebox. >>>> Provided that the middlebox is authoritative for the client-facing server's >>>> public name, as reported/delivered by DNS to the client. We can assume that >>>> this is the case here. >>>> >>>> >>>> >>>> I do not understand what you mean by this. The word “authoritative” is >>>> used to mean that it has a certificate and keypair and can do TLS >>>> termination. DNS giving the client a particular IP address is not >>>> authoritative. It can be confusing because DNS terminology uses >>>> authoritative to mean that a particular entity can prepare data used for >>>> DNS responses. But it is not authoritative in the TLS sense. >>>> >>>> >>>> >>>> I think your questions can be answered with those two overall >>>> corrections above. If not, please continue the thread. (And feel free to >>>> repost from your note since I trimmed for brevity.) >>>> >>>> >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>
- [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Eric Rescorla
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Salz, Rich
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Salz, Rich
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Eric Rescorla
- Re: [TLS] Securely disabling ECH ietf
- Re: [TLS] Securely disabling ECH Hannes Tschofenig
- Re: [TLS] Securely disabling ECH Salz, Rich
- Re: [TLS] Securely disabling ECH Dennis Jackson
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Nick Harper
- Re: [TLS] Securely disabling ECH Hannes Tschofenig
- Re: [TLS] Securely disabling ECH Christian Huitema
- Re: [TLS] Securely disabling ECH Christian Huitema
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Salz, Rich
- Re: [TLS] Securely disabling ECH Nick Harper
- Re: [TLS] Securely disabling ECH Salz, Rich
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Safe Browsing
- Re: [TLS] Securely disabling ECH Rob Sayre
- Re: [TLS] Securely disabling ECH Stephen Farrell