(This is another installment of our experiences with deploying the
RFC-final TLS 1.3—previous messages: [1][2]. We share these with the
community to hopefully avoid other people hitting the same issues.)

In the last update, David reported our experience with a bug[3] in
Java 11's TLS 1.3 implementation. We can confirm that this was fixed
in 11.0.2. However, since then another issue[4] has come to our
attention[8], the fix for which is not in any released version of Java
11. Additionally, we have found a third issue by code inspection which
we'll report on the Java bugtracker.

As such, we continue to fingerprint Java 11 clients on the server and
deny them TLS 1.3. This undercuts TLS 1.3's anti-downgrade measures
and we continue to send a special nonce suffix in that case[2].

Last week we tried sending KeyUpdate messages in Google Chrome, which
went poorly. Several, major OpenSSL-using applications block TLS 1.2
(and prior) renegotiation by installing a callback with OpenSSL and
watching for SSL_CB_HANDSHAKE_START events after the handshake has
completed. Such events are assumed to be renegotiation attempts by a
client and cause the connection to be dropped.

However, OpenSSL 1.1.1a signals SSL_CB_HANDSHAKE_START when TLS 1.3
post-handshake messages are received[5], including KeyUpdate. This
causes KeyUpdate messages to break with, at least, HAProxy, and with
NGINX prior to this commit[6]. (There may well be more, but that level
of breakage was enough to drown any other signal.)

Lastly, OpenSSL 1.1.1a imposes a hard limit of 32 KeyUpdate messages
per connection[7]. Therefore clients that send periodic KeyUpdates
based on elapsed time or transmitted bytes will eventually hit that
limit, which is fatal to the connection.

Therefore KeyUpdate messages are not currently viable on the web, at
least when client initiated.

[1] https://mailarchive.ietf.org/arch/msg/tls/PLtOD4kROZFfNtPKzSoMyIUOzuE
[2] https://mailarchive.ietf.org/arch/msg/tls/pixg5cBXHuwd3MtMIn_xIhWmGGQ
[3] https://bugs.openjdk.java.net/browse/JDK-8211806
[4] https://bugs.openjdk.java.net/browse/JDK-8213202
[5] https://github.com/openssl/openssl/issues/8069
[7] https://github.com/openssl/openssl/issues/8068
[8] https://twitter.com/__subodh/status/1085642001595265024



Adam Langley a...@imperialviolet.org https://www.imperialviolet.org

TLS mailing list

Reply via email to