Hi David, I remember that the same problem was discussed when standardizing EAP-TLS 1.3. The following text is in RFC 9190:
“Note that the key derivation MUST use the length values given above. While in TLS 1.2 and earlier it was possible to truncate the output by requesting less data from the TLS-Exporter function, this practice is not possible with TLS 1.3. If an implementation intends to use only a part of the output of the TLS-Exporter function, then it MUST ask for the full output and then only use the desired part. Failure to do so will result in incorrect values being calculated for the above keying material.” I agree that it would be good if 8446bis discussed the problem. Cheers, John From: David Benjamin <david...@chromium.org> Date: Monday, 10 March 2025 at 21:20 To: <tls@ietf.org> Subject: [TLS] Exporter compatibility pitfall between (D)TLS 1.2 and 1.3 Hi all, I recently spent some time debugging an interop issue between WebRTC + DTLS 1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the issue was a minor but interesting incompatibility between (D)TLS 1.2 and (D)TLS 1.3 that doesn't seem to have been flagged in RFC 8446 anywhere. Nothing actionable for this group, apart from maybe a last minute sentence to add to 8446bis (way too late to change how exporters work), but I thought I would pass it along for general awareness. WebRTC uses DTLS-SRTP, which uses export keying material to generate some specified number of bytes of data: https://www.rfc-editor.org/rfc/rfc5764.html#section-4.2 It turns out Firefox exported the maximum key+salt length and then only used a prefix of the output, rather than exporting the length as specified in RFC 5764. Back in 1.2, this was just fine and gave the right output. The requested length didn't figure into the derivation. But 1.3 incorporates the requested length into the derivation, so now this computes the wrong value. This means, starting with 1.3, applications must be sure to pass in exactly the length specified by the protocol they're implementing. Applications that relied on this 1.2 property will silently do the wrong thing when upgrading to 1.3. David
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
