TLS 1.3 non compliance with current draft

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.3 non compliance with current draft

Hubert Kario
When openssl sends a second Client Hello message, it modifies it quite
extensively, not only client_random is changed but also advertised cipher
suites.

see https://github.com/openssl/openssl/issues/4292

That makes it non-compliant with the current draft (-21):

   When a client first connects to a server, it is REQUIRED to send the
   ClientHello as its first message.  The client will also send a
   ClientHello when the server has responded to its ClientHello with a
   HelloRetryRequest.  In that case, the client *MUST send the same*
   *ClientHello* (without modification) except:

   -  If a "key_share" extension was supplied in the HelloRetryRequest,
      replacing the list of shares with a list containing a single
      KeyShareEntry from the indicated group.

   -  Removing the "early_data" extension (Section 4.2.9) if one was
      present.  Early data is not permitted after HelloRetryRequest.

   -  Including a "cookie" extension if one was provided in the
      HelloRetryRequest.

   -  Updating the "pre_shared_key" extension if present by recomputing
      the "obfuscated_ticket_age" and binder values and (optionally)
      removing any PSKs which are incompatible with the server's
      indicated cipher suite.


--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 non compliance with current draft

Matt Caswell-2


On 01/09/17 18:05, Hubert Kario wrote:
> When openssl sends a second Client Hello message, it modifies it quite
> extensively, not only client_random is changed but also advertised cipher
> suites.
>
> see https://github.com/openssl/openssl/issues/4292
>
> That makes it non-compliant with the current draft (-21):

Yes, I've seen the github issue on this. I will take a look at this at
some point this week.

Matt

>
>    When a client first connects to a server, it is REQUIRED to send the
>    ClientHello as its first message.  The client will also send a
>    ClientHello when the server has responded to its ClientHello with a
>    HelloRetryRequest.  In that case, the client *MUST send the same*
>    *ClientHello* (without modification) except:
>
>    -  If a "key_share" extension was supplied in the HelloRetryRequest,
>       replacing the list of shares with a list containing a single
>       KeyShareEntry from the indicated group.
>
>    -  Removing the "early_data" extension (Section 4.2.9) if one was
>       present.  Early data is not permitted after HelloRetryRequest.
>
>    -  Including a "cookie" extension if one was provided in the
>       HelloRetryRequest.
>
>    -  Updating the "pre_shared_key" extension if present by recomputing
>       the "obfuscated_ticket_age" and binder values and (optionally)
>       removing any PSKs which are incompatible with the server's
>       indicated cipher suite.
>
>
>
>

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (491 bytes) Download Attachment