> On 18 Nov 2015, at 3:32 AM, Peter Gutmann <[email protected]> wrote: > > Eric Rescorla <[email protected]> writes: > >> The concern here is backward compatibility with inspection middleboxes which >> expect the length field to be in a particular place. > > Given that the rest of TLS 1.3 is going to break compatibility with pretty > much everything everywhere, I can't see this as a big concern, may as well fix > it at the same time as everything else is being changed. >
Stateful firewalls tend to pass only what they understand. They use some measures to avoid tunneling and passing things that are not HTTPS over TCP port 443. To achieve this, they run sanity checks on the traffic. They try to strike a balance between not getting circumvented and not dropping legitimate traffic. Sometimes they get it wrong. Sometimes they block legitimate but surprising stuff. As an example from 15 years ago, when Mac OS 9.2 came out, it sent data on the third packet of TCP (the ACK - last of the handshake packets). This is allowed by RFC, but was not done by any other platform. This failed the sanity checks of some firewalls, causing that traffic to be blocked. Two results of this event: we fixed our firewalls, but nobody (including Apple) does that anymore. A sanity check on TLS might involve validating 5-byte record headers with sane length and version fields. A firewall might be out there that verifies this. This is the kind of thing that might be missed in testing, and we’ll only find out when some brave soul deploys TLS 1.3 in Chrome only to find out that it is blocked in 3% of the Internet. Yoav _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
