Re: [TLS] sslkeylogfile

2022-10-25 Thread Martin Thomson 
On Tue, Oct 25, 2022, at 16:48, Peter Gutmann wrote:
> But it's not the same thing, it only seems to cover some TLS 1.3 extensions.
> Thus my suggestion to call it "Extensions to the SSLKEYLOGFILE Format for TLS
> 1.3".

That's not the intent.  Section 3.2 covers all you need for TLS 1.2.

I did not describe the (deprecated) "RSA" key, is that in common usage?  Or, 
are there things that I have missed?  I got everything from 
https://firefox-source-docs.mozilla.org/security/nss/legacy/key_log_format/index.html
 but maybe that is no longer the best reference.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [EXTERNAL] Re: Published RFC 8446bis -05

2022-10-25 Thread Rob Sayre 
On Tue, Oct 25, 2022 at 3:40 PM Andrei Popov 
wrote:

> (It's also not clear to me how we would get rid of HRR in a future TLS
> version, without removing algorithm options, adding round-trips, or relying
> on some out-of-band signals.)
>

It was pretty much the idea to do those things, although I don't think
there is much of an appetite in the WG to do it. I think getting rid of HRR
would be worth it, but my opinion is in the rough.

thanks,
Rob
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [EXTERNAL] Re: Published RFC 8446bis -05

2022-10-25 Thread Andrei Popov 
In TLS <= 1.2, the client and server agree on the (EC)DHE group to use for key 
exchange by negotiating it (at the cost of a round-trip).

In TLS 1.3, the client tries to guess what (EC)DHE group(s) the server might 
support and sends key share(s) accordingly (saving a round-trip).
When a TLS 1.3 client fails to guess correctly, HRR message triggers handshake 
restart, this time with no guessing involved.
This failure to guess is undesirable, but luckily not very frequent (as long as 
TLS implementers choose to prioritize roughly the same sets of (EC)DHE groups).

The introduction of PQ algorithms and hybrid key exchange will add options and 
at the same time may reduce the number of different key shares the TLS client 
is willing/able to generate and send. It is possible that the HRR message flow 
might become more common during the PQC transition.

How can we possibly deprecate HRR (without deprecating TLS 1.3)?
(It's also not clear to me how we would get rid of HRR in a future TLS version, 
without removing algorithm options, adding round-trips, or relying on some 
out-of-band signals.)

Cheers,

Andrei

-Original Message-
From: TLS  On Behalf Of Stephen Farrell
Sent: Monday, October 24, 2022 7:57 PM
To: Eric Rescorla ; Rob Sayre 
Cc: tls@ietf.org
Subject: [EXTERNAL] Re: [TLS] Published RFC 8446bis -05


Hiya,

On 25/10/2022 03:27, Eric Rescorla wrote:
> On Mon, Oct 24, 2022 at 7:17 PM Rob Sayre  wrote:
> 
>> Is removing HRR on the table?
>> 
> 
> No, I don't think so. It performs an important function.

Is there any public info as to how often HRR happens?
(Sorry if that's well known, but it's not well known to
me:-)

Were that rare enough, I'd hope it'd be a thing where we could reach consensus 
for deprecation. If it's not yet sufficiently rare, it might be worth 
considering if we could change something to make HRR less likely.

Cheers,
S.

> Moreover, the intent of this revision to TLS 1.3 was to clarify 8446, 
> and this would be a major (and breaking!) change.
> 
> 
> 
>> Maybe just opening a new socket would suffice?
>> 
> 
> I don't see that this would help.
> 
> 1. It would not be clear to the client what it had to do to provide an 
> acceptable CH. 2. Without some sort of HRR-like coupling, it would 
> allow downgrade attacks.
> 
> -Ekr
> 
> 
> 
>> thanks, Rob
>> 
>> On Mon, Oct 24, 2022 at 13:08 Eric Rescorla  wrote:
>> 
>>> Hi Folks,
>>> 
>>> I have just published draft-ietf-tls-rfc8446bis-05, with the 
>>> following changes:
>>> 
>>> * Update the extension table (Issue 1241) * Clarify user_canceled 
>>> (Issue 1208) * Clarify 0-RTT cache side channels (Issue 1225) * 
>>> Require that message reinjection be done with the current hash.
>>> Potentially a clarification and potentially a wire format change 
>>> depending on previous interpretation (Issue 1227)
>>> 
>>> I landed a few current PRs without review. If people think I handled 
>>> these incorrectly or mis-merged, please flag that.
>>> 
>>> This includes most of the outstanding issues and PRs. The following 
>>> remain:
>>> 
>>> PRS 1275 -- Clarifying unsolicited extensions [Waiting for review 
>>> from Kaduk] 1270 -- The impact of excessive key updates [Working on 
>>> text with MT] 1269 -- A new error for invalid tickets [see below] 
>>> 1231 -- Update in light of RFC 8773 [I missed this, but will get to 
>>> it on my next pass]
>>> 
>>> 
>>> SUBSTANTIVE ISSUES 1223, 1224 -- Revising the HRR rules 1278 -- 
>>> There are no entries in the table for which TLS 1.3 messages token 
>>> binding goes in.
>>> 
>>> 
>>> As preview of our discussion in London.
>>> 
>>> I believe I can handle 1275, 1270, and 1231 at the editorial level.
>>> 
>>> I believe we should not land 1269. As noted in the issue there is 
>>> already an unknown_psk_identity, which captures this. I propose to 
>>> close this issue.
>>> 
>>> We need to agree on what appears in the table for token binding. 
>>> I think this is mechanical. MT? DavidBen? Andrei?
>>> 
>>> 
>>> This leaves us with 1223 and 1224. I agree that the HRR semantics 
>>> are a little confusing, but we don't seem to be making much progress 
>>> on revising them and given that 8446 is already out, I think we 
>>> should just publish this revision and then if people get energy to 
>>> address this issue we can do so later.
>>> 
>>> 
>>> -Ekr
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> ___ TLS mailing list 
>>> TLS@ietf.org 
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
>>> w.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C01%7CAndrei.Popo
>>> v%40microsoft.com%7C05e3b7f3afc84fe347bf08dab634b33c%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C638022634746453365%7CUnknown%7CTWFpbGZ
>>> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>> %3D%7C3000%7C%7C%7C&sdata=xWSwOGLU1Nd6jQvU7uQ0sEwGldTf8tz4EwO%2B
>>> HkCS6UQ%3D&reserved=0
>>> 
>> 
> 
> 
> ___ TLS mailing l

Re: [TLS] HRR delenda est (was Re: Published RFC 8446bis -05)

2022-10-25 Thread Rob Sayre 
On Tue, Oct 25, 2022 at 3:43 AM Bas Westerbaan  wrote:

>
> 1% of Cloudflare's TLS 1.3 handshakes today used an HRR.
>
 ...

> For those reasons I think it's a bit early to consider retiring HRR.
>

OK, that's more than I expected, although I kind of wonder what
combinations are doing this.

But, dropping HRR is a bigger change than EKR intended to make anyway, so I
guess the group can look again in a few years.

thanks,
Rob
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Published RFC 8446bis -05

2022-10-25 Thread Ilari Liusvaara 
On Mon, Oct 24, 2022 at 01:07:25PM -0700, Eric Rescorla wrote:
> Hi Folks,
> 
> I have just published draft-ietf-tls-rfc8446bis-05, with
> the following changes:
 
Should there be "SHOULD NOT reuse key shares between client hellos"?
I did't find such requirement (or maybe it is there but I just missed
it), which I think is odd, given that there is similar requirement for
tickets, and reusing key shares has similar impact as reusing tickets.

Such reuse is especially bad if SNI differs, or if the group is not
actually safe for key reuse.

(In case of hybrid key exchanges, implementations might reuse shares
within the same client hello. E.g., reusing the same X25519 key both
for x25519 and x25519+kyber768.)



And then section 5.5 contains "SHOULD not". I presume that should
be "SHOULD NOT". 




-Ilari

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] HRR delenda est (was Re: Published RFC 8446bis -05)

2022-10-25 Thread Marco Oliverio 

On 10/25/22 06:30, Rob Sayre wrote:



That's ok. I noticed that no one seems to test it very well. That's why 
I raised the possibility of deletion.


I don't think anyone actually uses it, but Stephen's request for data is 
probably the way to go.




Hi,

HRR is used as well to the cookie return-routability check, important 
for DTLSv1.3.


In my opinion, this wasn't an happy choice because it obliges the DTLS 
server to implement lot of logic statelessly in order to understand if 
the CH is acceptable or not.


Marco

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] HRR delenda est (was Re: Published RFC 8446bis -05)

2022-10-25 Thread Bas Westerbaan 
On Tue, Oct 25, 2022 at 6:30 AM Rob Sayre  wrote:

> I don't think anyone actually uses it,
>

1% of Cloudflare's TLS 1.3 handshakes today used an HRR.

I hope a de facto PQ kex will emerge — the old strategy of just sending
multiple keyshares is more expensive with large PQ public keys (~1kB). We
probably will need to complicate how the server picks the keyshare [1]

By the way, forcing an HRR by not sending any keyshares might be a useful
workaround if it turns out large initial ClientHello's are problematic for,
say, QUIC load balancers.

For those reasons I think it's a bit early to consider retiring HRR.

Best,

 Bas


[1] https://mailarchive.ietf.org/arch/msg/tls/pmJMSyf1-PGlLwcgF_jtEYKxQ-g/
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls