[TLS] TLS 1.3 updates from Chrome

[David Benjamin]

Dear all,

The upcoming release of Google Chrome 70 is expected to enable the final
version of TLS 1.3. As the release has progressed through our early release
channels, we have learned about some deployment issues we would like to
share with the community.

First, we are aware of some intolerance to the final TLS 1.3 code point,
0x0304. Prerelease versions of OpenSSL 1.1.1, namely -pre6 and earlier,
implemented the draft versions of TLS 1.3 incorrectly
. Although the draft
versions used separate 0x7fxx code points for forward-compatibility,
OpenSSL incorrectly also interpreted 0x0304 as a draft version. These
servers will respond to a TLS 1.3 ClientHello with a draft version, rather
than TLS 1.2, and fail to interoperate.

Early adopters of OpenSSL should upgrade to the final 1.1.1 release. Those
that cannot upgrade quickly should disable the draft TLS 1.3 in
configuration. We do not believe this problem to be widespread and do not
intend to delay TLS 1.3 in Chrome for it.

Second, TLS 1.3 includes a downgrade signal
 in the ServerHello
random field that could not be deployed in draft versions. This signal
strengthens

TLS 1.3 connections while remaining fully backwards compatible with TLS 1.2
and earlier. Unfortunately, despite the solid compatibility story, we are
observing deployment issues.

We believe these are caused by non-compliant TLS-terminating proxies which,
rather than generating their own random values, copy the value from the
origin server. This behavior is incorrect for all
 prior
 versions
 of TLS. When such a
proxy terminates a connection between a TLS 1.3 client and server, the
resulting pair of TLS 1.2 connections appear as a downgrade and are
rejected.

We are aware of two vendors whose products have this bug: Cisco and Palo
Alto Networks, although there may be more. We reported the issue to Cisco
in December 2017. They released the fix this past August and have published
an advisory
.
Palo Alto Networks recently discovered the issue on their devices and are
planning to release PAN-OS 8.1.4, PAN-OS 8.0.14, and PAN-OS 7.1.21 to fix
this, tentatively by Nov 30th.

As random values in security protocols are there for a reason and assumed
to be random by all security analysis, we would advise that all affected
vendors treat such flaws as security issues, and not mere functional flaws.
Additionally, vendors should note the Protocol Invariants
 section of RFC 8446,
which points out areas historically dense in errors.

Due to the above, we will sadly be shipping TLS 1.3 in Chrome 70 with the
server-random check temporarily disabled. While we still have downgrade
protection via the Finished check, we consider this additional protection
an important part of TLS 1.3 and plan on re-enabling it in the near future.
Additionally, we are disabling the False Start
 optimization on connections with the
downgrade signal, as False Start skips the Finished check. Note this
effectively disables the optimization on affected middleboxes. Vendors
should fix the underlying ServerHello random flaw to recover performance.

We would recommend other clients considering similar measures to also
disable False Start when the signal is present. To that end, we ask that
TLS 1.3 server deployments leave the signal enabled on the server. The
False-Start-only enforcement is valuable, and the server signal aids client
measurement. Compatibility issues can be mitigated instead on the client.

David
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Fwd: IETF 103 Final Agenda

[Sean Turner]

FYI - our sessions are scheduled for the following times:

MONDAY, November 5, 2018
1350-1550  Afternoon Session I
Chitlada 2  SEC tls  Transport Layer Security WG

WEDNESDAY, November 7, 2018
1120-1220  Morning Session II
Chitlada 1  SEC tls  Transport Layer Security WG
spt
> Begin forwarded message:
> 
> From: IETF Agenda 
> Subject: IETF 103 Final Agenda
> Date: October 12, 2018 at 18:15:57 EDT
> To: "IETF Announcement List" 
> Cc: recentattend...@ietf.org, i...@ietf.org, 103...@ietf.org
> Reply-To: age...@ietf.org
> 
> IETF 103
> Bangkok, Thailand
> November 3-9, 2018
> Hosts: Huawei and Cisco
> 
> The IETF 103 final agenda is now available. 
> 
> https://datatracker.ietf.org/meeting/103/agenda.html
> https://datatracker.ietf.org/meeting/103/agenda.txt
> 
> While this is considered the final agenda for printing, changes may be made 
> to the agenda up until and during the meeting. Updates will be reflected on 
> the web versions of the agenda. 
> 
> 
> IETF 103 Information: https://www.ietf.org/how/meetings/103/
> Register online at: https://www.ietf.org/how/meetings/register/
> 
> 
> 
> Unofficial Side Meetings
> 
> As communicated back in May 
> (https://www.ietf.org/mail-archive/web/ietf/current/msg107813.html), the IESG 
> is running an agenda experiment on Friday of the IETF 103 meeting week.
> 
> Monday through Thursday, we will have two rooms available for attendees to 
> reserve for side meetings, as usual. On Friday, because there will be no 
> working group meetings, we will have eight rooms available for unofficial 
> side meetings. Projectors will be provided in all of the meeting rooms. 
> Meetecho will not be recording or providing remote participation on Friday. 
> Please note that all side meetings must conclude by 13:30.
> 
> We realize that keeping track of all of these side meetings may prove 
> challenging, so a calendar with subscription details can be found here: 
> https://www.ietf.org/how/meetings/103/side-meetings/
> 
> 
> 
> Don’t forget to register for these exciting IETF 103 events!
> 
> Hackathon 
>   Signup: 
> https://www.ietf.org/registration/ietf103/hackathonregistration.py
>   More information: 
> https://www.ietf.org/how/runningcode/hackathons/103-hackathon/
>   Keep up to date by subscribing to: 
>   https://www.ietf.org/mailman/listinfo/hackathon
> 
> Code Sprint
>   Signup: 
> https://trac.tools.ietf.org/tools/ietfdb/wiki/IETF103SprintSignUp
>   More information: 
> https://trac.tools.ietf.org/tools/ietfdb/wiki/IETF103Sprint
> 

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls