-Original Message-
From: Alan DeKok
Sent: Saturday, August 1, 2020 6:53 AM
To: Jim Schaad
Cc: Mohit Sethi M ; EMU WG ; Benjamin
Kaduk
Subject: Re: [Emu] Commitment Message handling in EAP-TLS 1.3
On Jul 31, 2020, at 12:30 PM, Jim Schaad wrote:
>
> Ok – so this issue was raised at IETF 102. (presentation
> https://www.ietf.org/proceedings/102/slides/slides-102-emu-eap-tls-with-tls-13-00)
>
> Just reading the slides is not telling me what was the problem. I think I am
> going to need to hear the audio of the presentation. I have an extremely
> vague memory that there was an OpenSSL problem involved here but I would not
> swear to that. You might be a better description either from John Mattsson
> or Jouni.
IIRC it's that OpenSSL doesn't have an API to send a zero bytes of
application data. I think other TLS implementations have similar limitations.
Regardless of what solution is implemented, the requirement is to have a
positive acknowledgement that TLS setup is finished. This step seems to be
missing by default in TLS 1.3.
I suspect that most uses of TLS will *always* send application data. Which
makes EAP-TLS an outlier. Hence the need for hacks like "send application data
as one octet of zero".
[JLS] Cobwebs are slowly being shaken out of my brain.
* I made an incorrect statement yesterday because I got EAP-TEAP and EAP-TLS
confused. Not surprising because I only ever spent any time on EAP-TEAP . In
EAP-TLS, once the handshake has been completed the tunnel does not need to be
kept open. This is the opposite of the case for EAP-TEAP where the tunnel is
used for application EAP data.
* Based on that I agree with EKR that the close notification could be used
instead of sending the one byte of application data. Sending the close
notification means that the server will no longer be sending any data and thus
would not send any new session tickets.
EAP Peer EAP Server
EAP-Request/
< Identity
EAP-Response/
Identity (Privacy-Friendly) >
EAP-Request/
EAP-Type=EAP-TLS
<(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS ClientHello) >
EAP-Request/
EAP-Type=EAP-TLS
(TLS ServerHello,
TLS EncryptedExtensions,
TLS CertificateRequest,
TLS Certificate,
TLS CertificateVerify,
< TLS Finished)
EAP-Response/
EAP-Type=EAP-TLS
(TLS Certificate,
TLS CertificateVerify,
TLS Finished)>
EAP-Request/
EAP-Type=EAP-TLS
<(close_notify)
EAP-Response/
EAP-Type=EAP-TLS >
< EAP-Success
Jim
Alan DeKok.
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu