(This is another installment of our experiences with deploying the RFC-final TLS 1.3—previous messages: [1][2]. We share these with the community to hopefully avoid other people hitting the same issues.)
In the last update, David reported our experience with a bug[3] in Java 11's TLS 1.3 implementation. We can confirm that this was fixed in 11.0.2. However, since then another issue[4] has come to our attention[8], the fix for which is not in any released version of Java 11. Additionally, we have found a third issue by code inspection which we'll report on the Java bugtracker. As such, we continue to fingerprint Java 11 clients on the server and deny them TLS 1.3. This undercuts TLS 1.3's anti-downgrade measures and we continue to send a special nonce suffix in that case[2]. Last week we tried sending KeyUpdate messages in Google Chrome, which went poorly. Several, major OpenSSL-using applications block TLS 1.2 (and prior) renegotiation by installing a callback with OpenSSL and watching for SSL_CB_HANDSHAKE_START events after the handshake has completed. Such events are assumed to be renegotiation attempts by a client and cause the connection to be dropped. However, OpenSSL 1.1.1a signals SSL_CB_HANDSHAKE_START when TLS 1.3 post-handshake messages are received[5], including KeyUpdate. This causes KeyUpdate messages to break with, at least, HAProxy, and with NGINX prior to this commit[6]. (There may well be more, but that level of breakage was enough to drown any other signal.) Lastly, OpenSSL 1.1.1a imposes a hard limit of 32 KeyUpdate messages per connection[7]. Therefore clients that send periodic KeyUpdates based on elapsed time or transmitted bytes will eventually hit that limit, which is fatal to the connection. Therefore KeyUpdate messages are not currently viable on the web, at least when client initiated. [1] https://mailarchive.ietf.org/arch/msg/tls/PLtOD4kROZFfNtPKzSoMyIUOzuE [2] https://mailarchive.ietf.org/arch/msg/tls/pixg5cBXHuwd3MtMIn_xIhWmGGQ [3] https://bugs.openjdk.java.net/browse/JDK-8211806 [4] https://bugs.openjdk.java.net/browse/JDK-8213202 [5] https://github.com/openssl/openssl/issues/8069 [6] https://trac.nginx.org/nginx/changeset/e3ba4026c02d2c1810fd6f2cecf499fc39dde5ee/nginx/src/event/ngx_event_openssl.c [7] https://github.com/openssl/openssl/issues/8068 [8] https://twitter.com/__subodh/status/1085642001595265024 Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls