[TLS] Further TLS 1.3 deployment updates

Wed, 12 Dec 2018 14:22:16 -0800 

Hi folks,

We have one more update for you all on TLS 1.3 deployment issues. Over the
course of deploying TLS 1.3 to Google servers, we found that JDK 11
unfortunately implemented TLS 1.3 incorrectly. On resumption, it fails to
send the SNI extension. This means that the first connection from a JDK 11
client will work, but subsequent ones fail.
https://bugs.openjdk.java.net/browse/JDK-8211806

It appears this will be fixed in JDK 11.0.2, which is not yet released. In
the meantime, we have sadly had to detect JDK 11 clients and disable TLS
1.3 for them. This, in turn, raises a problem with the downgrade signal in
ServerHello.random. JDK 11 does implement that downgrade signal, so the
workaround cannot send it. However, the signal is not effective for other
clients unless all TLS 1.2 ServerHellos are marked.

To salvage this for now, we've introduced a second value, generated
randomly:
    0xed, 0xbf, 0xb4, 0xa8, 0xc2, 0x47, 0x10, 0xff

When Google servers detect JDK 11 and disable TLS 1.3 to work around this
issue, they will use that value in ServerHello.random instead of the
standard 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01. Future versions of
Chrome will treat the new value as an alias of the standard one. Other
clients may wish to do the same, but please properly test your TLS 1.3
implementation first.

As JDK 11 is quite recent, we hope this will be relatively short-lived and
that we can remove this workaround and non-standard signal in the future.
Users of JDK 11 should upgrade to 11.0.2 once released to avoid
interoperability issues. In the meantime, they should disable TLS 1.3 by
passing -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 to the java binary.

Finally, as an update to the non-compliant middleboxes we noted previously
<https://www.ietf.org/mail-archive/web/tls/current/msg27066.html>, PAN-OS
8.1.4, PAN-OS 8.0.14, and PAN-OS 7.1.21 appear to now be released. Users of
Cisco and Palo Alto Networks firewall devices should upgrade their
products. We plan to reintroduce enforcement of the downgrade signal
sometime in the next year.

David

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to