IETF Logo Mail Archive

Re: [TLS] Securely disabling ECH

Nick Harper <ietf@nharper.org> Thu, 20 October 2022 04:41 UTC

Return-Path: <nharper@nharper.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA34C1522BC for <tls@ietfa.amsl.com>; Wed, 19 Oct 2022 21:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLIkckp9tdKN for <tls@ietfa.amsl.com>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58E1DC1522BA for <TLS@ietf.org>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
Received: by mail-ed1-f42.google.com with SMTP id m15so28116484edb.13 for <TLS@ietf.org>; Wed, 19 Oct 2022 21:41:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GyU382IzLn6Pq1kr5L+ZUqcD6Gj1yM9eqrbe9/6y6Vw=; b=37i3VoufBtA9LnpAeGO0MPP+g9BnrTjIJ2gOssu8si10PGgmDljGASllbkewERHbPM vZ14aYunN3qLTCDAkrgySUlQvJh1JiB6Dn0zEmRAJXijjLbVgPUjgNBaOKQ7237FrwzB VlzrHjUqgorkFt76v6ItqHdUcSt/cvsliquyQac97fWd6hBmdERsBP/aJ2xVsNi1HN6G tB2sf1/nu7WZfuK6XIyuyFvC2EY8B9AziRA4t5yKpo3c0f6m+Hpt62n+HjxNBgV7eYbT mbqbCr10IZ3YgUgUZEE0N+QBsdBIX4JvDkXihPN7gVJREx+F312+uH/MoJ5Q36uPjVG8 XrLQ==
X-Gm-Message-State: ACrzQf19vDxiPCPNcsBN7zOtIJgyYQ7pX0DtNiWJnBqUiRLkESEzG+Bn HOCYiuHy9FRZ0eiRbTijAxlrvwuZVZ8oLbmo88ZfkyTQNV5Ws9zL
X-Google-Smtp-Source: AMsMyM4hzG4TaH+WJgeixIjVuxB0aBU6k0wflP8pDXoPMqkpJ93112sA2EZc3u0wzKVCr9G1dL3p6r/dUjTjEITgVsA=
X-Received: by 2002:a05:6402:4302:b0:45d:c9b4:c007 with SMTP id m2-20020a056402430200b0045dc9b4c007mr10430629edc.328.1666240906927; Wed, 19 Oct 2022 21:41:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBMyZFC0n47v8L+buYSME_vGxAMJJZuuVJeox6QPk1nMBw@mail.gmail.com> <BA942CF0-6D8A-4118-84A4-675384C4C197@gmail.com> <CACcvr==ioD3DMCa3wu7tkTHtA6+_JrPerT7vqYDZw_zxT3X2Yw@mail.gmail.com> <CAKAaAL1oejJpHTOieD+bFX9Wi1ky=Yvgby2Hbzaty9zOBwKcmg@mail.gmail.com>
In-Reply-To: <CAKAaAL1oejJpHTOieD+bFX9Wi1ky=Yvgby2Hbzaty9zOBwKcmg@mail.gmail.com>
From: Nick Harper <ietf@nharper.org>
Date: Wed, 19 Oct 2022 21:41:35 -0700
Message-ID: <CACcvr==tjt-FBf2G+nkiMbSxW_wMnywesuQjCVJB69Bx4vJq1g@mail.gmail.com>
To: Safe Browsing <safebrowsingnow@gmail.com>
Cc: TLS@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005e37c605eb6ff153"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zK9jYScfAMgNqwzEZcQNKDf4VDc>
Subject: Re: [TLS] Securely disabling ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 04:41:53 -0000

It sounds like your confusion is stemming from section 6.1.6. Upon
re-reading it, I see some room for clarity there.

Section 6.1.6 says what to do if "retry_configs" contains a value with a
client-supported version (retry with with one of those configs), and what
to do if "none of the values provided in "retry_configs" contains a
supported version, or an earlier TLS version was negotiated" (retry without
ECH). My implied reading of section 6.1.6 is that if there is no
"retry_configs", then the latter also applies (retry without ECH). That
could be made more explicit.

I disagree that any particular retry behavior should be mandated. Clients
that want wide interoperability will implement retry without ECH whether or
not the spec says it's a MUST, and likewise clients that will only connect
if ECH is used will choose to not implement the fallback regardless of what
the spec says.

On Wed, Oct 19, 2022 at 8:36 PM Safe Browsing <safebrowsingnow@gmail.com>
wrote:

> Hi Nick,
>
> Thanks for your input.
>
> Yes, what I am suggesting is instead of having: "Depending on whether X,
> this may Y or Z".
> Rather state: "If X, then MUST Y, else MUST Z"
>
> So, instead of this text in Section 8.2:
>
> "Depending on whether the client is configured to accept the proxy's
> certificate as authoritative for the public name, this may trigger the
> retry logic described in Section 6.1.6
> <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech>
>  or result in a connection failure. ..."
>
> Have something like this:
>
> "*If* the client is configured to accept the proxy's certificate as
> authoritative for the public name, the retry logic described in Section
> 6.1.6
> <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech>
>  *MUST* be exercised. Else, a connection failure *MUST* result. ..."
>
> Note that the second 'MUST' (the one in the 'else' case) is not new. It is
> already stated in the first paragraph in Section 6.1.6 as required behavior.
>
> Also note that the retry in this case would not involve the
> "retry_configs" method mentioned in Section 6.1.6. Instead, it would be
> retrying the handshake with a new transport connection and ECH disabled.
> This, ECH disabled retry, is mentioned in Section 6.1.6, but only in the
> context of "retry_configs" containing non-supported versions, or if an
> earlier TLS version was negotiated.
>
> Thus, as I also stated in one of my earlier emails, Section 6.1.6 is not
> very clear about the retry mechanism to be followed in the case discussed
> here.
>
> A suggestion for changing the text of one of the paragraphs of Section
> 6.1.6, to be more clear/explicit, would be to change:
>
> "If none of the values provided in "retry_configs" contains a supported
> version, or an earlier TLS version was negotiated, the client can regard
> ECH as securely disabled by the server, and it SHOULD retry the handshake
> with a new transport connection and ECH disabled."
>
> To:
>
> "If none of the values provided in "retry_configs" contains a supported
> version, or an earlier TLS version was negotiated, *or an **"encrypted_client_hello"
> extension was not supplied by the server,* the client can regard ECH as
> securely disabled by the server, and it *MUST* retry the handshake with a
> new transport connection and ECH disabled."
>
> This type of retry would be required only once, and a precondition for
> this "securely disabled" state is already stated in one of the earlier
> paragraphs in the same section. Namely, that the server/certificate must be
> authoritative for the public name.
>
> Again the 'MUST' in this suggested text. Note that it does not pertain to
> the "retry_configs", as stated already. But rather to the case where ECH
> has been disabled securely, in which case it would be good if the
> specification can provide the way a stack must operate in such a situation
> which the specification prescribes. I believe having a MUST here, and in
> the previous instance mentioned at the top of this email, will make stacks
> that wish to comply with the specification much more likely to to implement
> this retry mechanism, resulting in a more robust ECH deployment and
> operating environment.
>
> To the comment about Section 8.1. Yes, that section has this text that is
> relevant here:
>
> "If the server does not understand the "encrypted_client_hello" extension
> at all, it will ignore it as required by Section 4.1.2
> <https://rfc-editor.org/rfc/rfc8446#section-4.1.2> of [RFC8446
> <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#RFC8446>].
> Provided the server can present a certificate valid for the public name,
> the client can safely retry with updated settings, as described in Section
> 6.1.6
> <https://www.ietf.org/archive/id/draft-ietf-tls-esni-15.html#rejected-ech>
> ."
>
> So it simply refers back to Section 6.1.6 again, which then gets back to
> my earlier statement about Section 6.1.6 not being as clear as it can be
> about this situation. I.e. the situation were a retry is with ECH disabled,
> due to the lack of an ECH extension from the server, as opposed to the
> "retry_config" retry method with ECH still enabled - they are of course
> very different retry mechanisms.
>
>
> On Wed, Oct 19, 2022 at 1:44 AM Nick Harper <ietf@nharper.org> wrote:
>
>>
>>
>> On Tue, Oct 18, 2022 at 8:56 PM Safe Browsing <safebrowsingnow@gmail.com>
>> wrote:
>>
>>> The draft does consider this by allowing ECH to be disabled - as
>>> discussed in this thread. Albeit at the cost of an extra round trip.
>>> However, the connection retry logic in the presence of ECH disabling is
>>> currently optional.
>>>
>>> The draft states, in Section 8.2:
>>> “ this may trigger the retry logic”
>>>
>>> It seems this text must change to:
>>> “ this MUST trigger the retry logic”
>>>
>>
>> This language change would not make sense. The context for "this may
>> trigger the retry logic" in section 8.2 offers two options. The sentence
>> structure is "Depending on whether X, this may Y or Z", i.e. if X is
>> resolved one way, then the client does Y, otherwise it does Z. Changing the
>> "may" to "MUST" would result in stating "this MUST trigger the retry logic
>> described in Section 6.1.6 or result in a connection failure", which
>> doesn't really make sense, and wouldn't have the goal you'd like, since a
>> connection failure instead of retry logic would satisfy the MUST.
>>
>> If your server is authoritative for the public name, then the behavior
>> you care about is described in section 8.1.
>>
>> I suspect most implementations of ECH will implement the retry logic, as
>> the misconfigurations and deployment concerns described in section 8.1 are
>> an inevitability, and implementing the retry logic avoids connection
>> failures that would occur without it. I doubt that adding a MUST would make
>> someone more likely to implement the retry logic.
>>
>>>
>>> In order to ensure functional connections in a TLS client agnostic
>>> manner, in the presence of protocol level ECH disabling.
>>>
>>> I would appreciate your thoughts/input.
>>>
>>> On Oct 8, 2022, at 7:41 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>> 
>>> If you are able to install a new trust anchor, then you should be able
>>> to use the enterprise configuration mechanisms in browsers to disable ECH.
>>>
>>> -Ekr
>>>
>>>
>>> On Fri, Oct 7, 2022 at 8:40 PM Safe Browsing <safebrowsingnow@gmail.com>
>>> wrote:
>>>
>>>> Hi Rich,
>>>>
>>>> When I say “authoritative”, I mean it in the true TLS sense, in the way
>>>> that I believe the ECH draft also suggests and requires.
>>>>
>>>> In other words, the middlebox serves a cert to the client that is
>>>> cryptographically valid for the said public name of the client facing
>>>> server.
>>>>
>>>> How can that be when the client facing server guards its private key
>>>> properly? By re-signing the server certificate on the middlebox with a
>>>> private key, local to the middle box only, for which the corresponding
>>>> certificate has been installed in the trust store of the client, before
>>>> sending it on to the client. Only after the original server
>>>> certificate has been validated properly on the middlebox, of course. Message
>>>> digests being managed accordingly/appropriately.
>>>>
>>>> That is a very typical setup for most (all?) TLS inspection devices
>>>> (next gen firewalls and such).
>>>>
>>>> Thus this part of ECH, requiring the middlebox to be authoritative for
>>>> the server, is well understood and prolifically exercised in inspected TLS
>>>> sessions today. What is new is that these connections can now fail/close,
>>>> in the “securely disabling ECH” case, and the onus is on the TLS client,
>>>> not the application, to retry the connection without ECH.
>>>>
>>>> I am after such a client, if one exists already.
>>>>
>>>> Thank you.
>>>>
>>>> Sent from my phone
>>>>
>>>> On Oct 7, 2022, at 11:41 AM, Salz, Rich <rsalz@akamai.com> wrote:
>>>>
>>>> 
>>>>
>>>>
>>>>
>>>>    - Client <-> *Middlebox* <-> Client-facing server <-> Backend server
>>>>
>>>>
>>>>
>>>>    - With "Middlebox" really meaning a middlebox like a firewall or
>>>>    similar.
>>>>
>>>>
>>>>
>>>> The middlebox is not allowed to modify traffic between the client and
>>>> the server. Doing so would mean that the packets the client sent are not
>>>> the ones that the server received, and the two message digests would
>>>> disagree.  (If you think about things, it **has** to be this way,
>>>> otherwise TLS would not be able to provide integrity guarantees.)
>>>>
>>>>
>>>>
>>>>    - From the draft, ECH seems to be designed to still allow
>>>>    successful TLS connection establishment if the encrypted_client_hello
>>>>    extension is dropped from the ClientHello on a conforming middlebox.
>>>>    Provided that the middlebox is authoritative for the client-facing server's
>>>>    public name, as reported/delivered by DNS to the client. We can assume that
>>>>    this is the case here.
>>>>
>>>>
>>>>
>>>> I do not understand what you mean by this.  The word “authoritative” is
>>>> used to mean that it has a certificate and keypair and can do TLS
>>>> termination. DNS giving the client a particular IP address is not
>>>> authoritative. It can be confusing because DNS terminology uses
>>>> authoritative to mean that a particular entity can prepare data used for
>>>> DNS responses.  But it is not authoritative in the TLS sense.
>>>>
>>>>
>>>>
>>>> I think your questions can be answered with those two overall
>>>> corrections above.  If not, please continue the thread.  (And feel free to
>>>> repost from your note since I trimmed for brevity.)
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>

v2.23.0 | Report a Bug | By Email