Re: [TLS] Keeping TLS extension points working

Raja ashok <> Tue, 02 August 2016 06:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 572ED12B004 for <>; Mon, 1 Aug 2016 23:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.497
X-Spam-Status: No, score=-5.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C2Lth-TDzg8k for <>; Mon, 1 Aug 2016 23:58:55 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E569D127078 for <>; Mon, 1 Aug 2016 23:58:53 -0700 (PDT)
Received: from (EHLO ([]) by (MOS 4.3.7-GA FastPath queued) with ESMTP id COS74379; Tue, 02 Aug 2016 06:58:50 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 2 Aug 2016 07:58:30 +0100
Received: from ([]) by ([]) with mapi id 14.03.0235.001; Tue, 2 Aug 2016 12:28:17 +0530
From: Raja ashok <>
To: David Benjamin <>, "" <>
Thread-Topic: [TLS] Keeping TLS extension points working
Thread-Index: AQHR5sSGP8jlE9Wa4UKbNZzI09Q7v6A0G4+w
Date: Tue, 2 Aug 2016 06:58:16 +0000
Message-ID: <FDFEA8C9B9B6BD4685DCC959079C81F5E18BF559@blreml502-mbx>
References: <>
In-Reply-To: <>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/related; boundary="_004_FDFEA8C9B9B6BD4685DCC959079C81F5E18BF559blreml502mbx_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0203.57A044AB.014C, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 6c7d1f084f708807fb0e4f5e49953032
Archived-At: <>
Subject: Re: [TLS] Keeping TLS extension points working
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2016 06:58:58 -0000

Hi Benjamin,

I have gone through the GREASE mechanism which you proposed in your new draft. It’s really a nice idea for finding a buggy server before it thrives.

I am having few doubts on this, which are listed below.

a)      What should be the behaviour of client incase if a buggy server responded for a GREASE value ?

-          Consider a client sends a GREASE cipher value at first place and followed by valid cipher suites, in its client hello.

-          If a buggy server selects that cipher then it will response server hello with that GREASE cipher value. At this case if client sends FATAL alert then both side TLS and TCP needs to be closed and client needs to recreate a new TCP connection, and then restart TLS handshake without GREASE cipher value.

-          Instead of this we can make client to send warning alert (with new TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS handshake by sending client hello again.

-          If a server receives this new warning, then it should be ready to receive new client hello to restart handshake.

SERVER                                                                                                                         CLIENT

CH (GREASE Cipher value & Valid Cipher value)          ------>

                                                                        <-------                  SH (GREASE cipher value)

Fatal alert                    -------->

TCP (SYN)                    -------->

                                                                                                        <--------                TCP(SYN ACK)

TCP (ACK)                    -------->

CH (Valid cipher value)                                                          ------->

                        Scenario 1 : Sending FATAL alert for server selecting GREASE value

SERVER                                                                                                                         CLIENT

CH (GREASE Cipher value & Valid Cipher value)          ------->

                                                                        <-------                  SH (GREASE cipher value)

Warning alert             -------->

CH (Valid cipher value)                                                          ------->

                        Scenario 2 : Sending WARNING alert for server selecting GREASE value

-          I hope sending warning msg and restarting TLS handshake will be efficient.

-          TLS Server must notify the application, whenever it receives a GREASE warning alert.

b)      Why only few values are specified as GREASE value ? Basically all value which are not specified by IANA should be considered as GREASE value right ?

-          Basically client should maintain the list of values (cipher suite, extensions) specified by IANA. The range of values.

-          For example IANA specified cipher suite values are {{0x0000,0x005C}, {0x0060,0x006D}, {0x0084, 0x00C5}, {0x00FF, 0x00FF} ….. }. This should be maintained in client.

-          We should make the client to choose a random value which are not in this supported value list. That cipher value should be considered as GREASE value and need to keep in first place of its cipher list.

-          If its selected by a buggy server, then client should behave as mentioned in above scenario 2.

-          Even in future if IANA provides new values to new cipher, then this list also should be updated. Consider in this case server is supporting that new cipher and client is not aware about it, so client can propose that value as GREASE value, then still connection will work with the 2nd handshake.

-          I am not understanding why we are planning to maintain a few set of GREASE values {0x0A0A, 0x1A1A …. }. If I am missing something, please clarify me.

R Ashok

Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd.
Bangalore, India
This e-mail and its attachments contain confidential information from HUAWEI, which
is intended only for the person or entity whose address is listed above. Any use of the
information contained herein in any way (including, but not limited to, total or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
From: TLS [] On Behalf Of David Benjamin
Sent: 26 July 2016 04:02
Subject: [TLS] Keeping TLS extension points working

Hi folks,

I'm not sure how this process usually works, but I would like to reserve a bunch of values in the TLS registries to as part of an idea to keep our extension points working. Here's an I-D:

(The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy from )

One problem we repeatedly run into is servers failing to implement TLS's various extension points correctly. The most obvious being version intolerance. When we deployed X25519 in Chrome, we discovered an intolerant implementation. (Thankfully it was rare enough to not warrant a fallback or revert!) It appears that signature algorithms maybe also be gathering rust. Ciphers and extensions seem to have held up, but I would like to ensure they stay that way.

The root problem here is these broken servers interoperate fine with clients at the time they are deployed. It is only after new values get defined do we notice, by which time it is too late.

I would like to fix this by reserving a few values in our registries so that clients may advertise random ones and regularly exercise these codepaths in servers. If enough of the client base does this, we can turn a large class of tomorrow's interop failures into today's interop failures. This is important because an bug will not thrive in the ecosystem if it does not work against the current deployment.

If you were in Berlin, you may recognize this idea from the version negotiation debate. Alas that all happened in the wrong order as I hadn't written this up yet. This idea can't be applied to versioning without giving up on ClientHello.version, but we can start with the rest of the protocol.


PS: This is actually my first I-D, so apologies if I've messed it up somewhere!