Re: [TLS] Further TLS 1.3 deployment updates

2018-12-14 Thread Nico Williams
On Fri, Dec 14, 2018 at 10:11:38PM +0100, Martin Rex wrote: > Nico Williams wrote: > > On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote: > >> We have one more update for you all on TLS 1.3 deployment issues. Over the > >> course of deploying TLS 1.3 to Google servers, we found that

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-14 Thread Martin Rex
Nico Williams wrote: > On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote: >> We have one more update for you all on TLS 1.3 deployment issues. Over the >> course of deploying TLS 1.3 to Google servers, we found that JDK 11 >> unfortunately implemented TLS 1.3 incorrectly. On

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-14 Thread Adam Langley
On Fri, Dec 14, 2018 at 10:50 AM Nico Williams wrote: > If the server rejects resumption I guess the client would still fail, > but this is much better than failing at 100% of all resumptions and > better than adding fingerprinting and downgrades. > In order for TLS 1.3 deployment to be viable

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-14 Thread Nico Williams
On Wed, Dec 12, 2018 at 04:21:43PM -0600, David Benjamin wrote: > We have one more update for you all on TLS 1.3 deployment issues. Over the > course of deploying TLS 1.3 to Google servers, we found that JDK 11 > unfortunately implemented TLS 1.3 incorrectly. On resumption, it fails to > send the

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-13 Thread Hubert Kario
On Thursday, 13 December 2018 18:04:12 CET David Benjamin wrote: > On Thu, Dec 13, 2018 at 10:54 AM Hubert Kario wrote: > > On Wednesday, 12 December 2018 23:21:43 CET David Benjamin wrote: > > > Hi folks, > > > > > > We have one more update for you all on TLS 1.3 deployment issues. Over > > >

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-13 Thread David Benjamin
On Thu, Dec 13, 2018 at 10:54 AM Hubert Kario wrote: > On Wednesday, 12 December 2018 23:21:43 CET David Benjamin wrote: > > Hi folks, > > > > We have one more update for you all on TLS 1.3 deployment issues. Over > the > > course of deploying TLS 1.3 to Google servers, we found that JDK 11 > >

Re: [TLS] Further TLS 1.3 deployment updates

2018-12-13 Thread Hubert Kario
On Wednesday, 12 December 2018 23:21:43 CET David Benjamin wrote: > Hi folks, > > We have one more update for you all on TLS 1.3 deployment issues. Over the > course of deploying TLS 1.3 to Google servers, we found that JDK 11 > unfortunately implemented TLS 1.3 incorrectly. On resumption, it

[TLS] Further TLS 1.3 deployment updates

2018-12-12 Thread David Benjamin
Hi folks, We have one more update for you all on TLS 1.3 deployment issues. Over the course of deploying TLS 1.3 to Google servers, we found that JDK 11 unfortunately implemented TLS 1.3 incorrectly. On resumption, it fails to send the SNI extension. This means that the first connection from a