On Tue, Jul 28, 2020 at 12:26 AM Martin Thomson <m...@lowentropy.net> wrote:
> The following text from Section 5.3 is deeply problematic: > > A decryption policy decision MAY be made based on the server > certificate or other trustworthy parameters. To verify possession of > private keys that are associated with a particular server > certificate, the proxy SHOULD complete an out-of-band TLS handshake > with the same TLS server IP address and TCP port as targeted by the > TLS client. > > It is possible that the authors misunderstand how TLS works, but this > check won't work. Not only because TLS 1.3 encrypts information, but > because this is only necessary if the proxy forwards a ClientHello from the > client to the server. In addition, this check is susceptible to trivial forwarding attack in which the server in question forwards the data to the true server. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
