Hi all, I recently spent some time debugging an interop issue between WebRTC + DTLS 1.3 in Chrome and WebRTC + DTLS 1.3 in Firefox. The cause of the issue was a minor but interesting incompatibility between (D)TLS 1.2 and (D)TLS 1.3 that doesn't seem to have been flagged in RFC 8446 anywhere. Nothing actionable for this group, apart from maybe a last minute sentence to add to 8446bis (way too late to change how exporters work), but I thought I would pass it along for general awareness.
WebRTC uses DTLS-SRTP, which uses export keying material to generate some specified number of bytes of data: https://www.rfc-editor.org/rfc/rfc5764.html#section-4.2 It turns out Firefox exported the maximum key+salt length and then only used a prefix of the output, rather than exporting the length as specified in RFC 5764. Back in 1.2, this was just fine and gave the right output. The requested length didn't figure into the derivation. But 1.3 incorporates the requested length into the derivation, so now this computes the wrong value. This means, starting with 1.3, applications must be sure to pass in exactly the length specified by the protocol they're implementing. Applications that relied on this 1.2 property will silently do the wrong thing when upgrading to 1.3. David
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
