Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the DTLS ClientHello structure in ECH with DTLS #640

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Use the DTLS ClientHello structure in ECH with DTLS #640

wants to merge 2 commits into from

Conversation

davidben
Copy link
Collaborator

This PR implements the option if we decide to use DTLS's ClientHello as the payload and AAD, rather than somehow fit TLS's in there.

Fixes #639.

I haven't yet gotten this working for BoringSSL (probably will finish that after the holiday), but I suspect this is the more straightforward option for us. @martinthomson what has NSS implemented / would be more convenient for NSS?

@davidben
Use the DTLS ClientHello structure in ECH with DTLS
90d732b 
This PR implements the option if we decide to use DTLS's ClientHello as
the payload and AAD, rather than somehow fit TLS's in there.

Fixes tlswg#639.
@davidben davidben requested a review from chris-wood as a code owner November 27, 2024 18:36
@davidben davidben mentioned this pull request Nov 27, 2024
Open
@davidben
Copy link
Collaborator Author

NB: This option means needing to reason about injectivity. But the first two bytes of a DTLS ClientHello are different, so I think we're alright on that front? (Although nothing is stopping someone from sending 0xfefd in the legacy version of a TLS ClientHello, so... 🤷

martinthomson
martinthomson approved these changes Nov 27, 2024
View reviewed changes
Copy link
Contributor

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems right.

@davidben
Copy link
Collaborator Author

I haven't yet gotten this working for BoringSSL

I can now report that there is at least one implementation. 🙂 Possibly two if NSS had already done it before all this. Also our Go testing stack if you count that one, but that stack is weird.

It was a lot of chasing down of the TLS vs DTLS header (our DTLS stack carries the old style header around because it was the way you spelled it in 1.2), and making sure all the ClientHello processing bits picked up the right now. But nothing fundamentally hard. Just more ways that we pay for DTLS 1.2's sins.

@ekr
Copy link
Collaborator

ekr commented Dec 1, 2024

I believe this is the correct resolution. @seanturner @jsalowey @dconnolly are you OK with merging it?

@davidben davidben mentioned this pull request Dec 2, 2024
Open
@davidben
Copy link
Collaborator Author

davidben commented Dec 2, 2024

Also got #641. 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinthomson martinthomson martinthomson approved these changes

@chris-wood chris-wood Awaiting requested review from chris-wood chris-wood is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clarify interaction with DTLS 1.3
3 participants
@davidben @ekr @martinthomson