On Sat, Oct 29, 2016 at 3:00 AM, Martin Rex <m...@sap.com> wrote: > Joseph Salowey wrote: > > > > This is a working group last call announcement for > draft-ietf-tls-tls13-18, > > to run through November 20. If possible, we would like to receive > comments > > on the list by November 13 so they can be discussed at the meeting in > > Seoul. We hope to address any substantive issues raised during that > process > > shortly thereafter. > > > > In order to allow for cryptographic review, we will delay submission of > the > > draft to the IESG until the end of January 2017; there will be an > > opportunity to address any issues discovered by the cryptographic > community > > prior to submission to the IESG. > > > There are two seriously backwards-incompatible changes in the > current proposal that provide zero value, but completely break > backwards-compatibility with existing middleware infrastructure. > > > (1) hiding of the TLS record content types. > Please leave the TLS record types (handshake/AppData/Alert/CCS) > clearly visible on the outside of the TLS records, so that > middleware protocol parsers (which interface to transport-free > TLS protocol stacks) can continue to work, and continue to > work efficiently.
I'll let the chairs determine how to handle this. > (2) hiding of the TLS extension SNI. > Right now it is perferctly fine to implement TLS extensions SNI > on the server completely outside the TLS protocol stack to route > to single-cert SNI-unaware backends. The current proposal > suggest to move TLS extension SNI into the encrypted part, if > my superficial reading of the draft is correct, so TLSv1.3 > will not fly with existing architectures where spreading of > TLS requests on the server-side based on TLS extension SNI > is done outside of the TLS protocol stack (i.e. bottleneck-less > without having to open TLS). This isn't quite right. In RFC 6066, the client sends its server_name extension in ClientHello and the server responds with an empty server_name in its ServerHello to indicate that it accepted SNI. A server that receives a client hello containing the "server_name" extension MAY use the information contained in the extension to guide its selection of an appropriate certificate to return to the client, and/or other aspects of security policy. In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello. The "extension_data" field of this extension SHALL be empty. In TLS 1.3, the client's extension remains where it is, but the server's extension is in EncryptedExtensions. This shouldn't interfere with configurations such as the one you describe, as the server already needed to insert the SNI field itself and hash it into Finished. -Ekr >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
