-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0-RTT #14
Comments
You are right. I am reading the RFC the same way. Thanks for bringing this up. I was aware that early data wasn't working correctly, but hadn't found a good way to debug this. All test installations of TLS 1.3 servers I have tried didn't support early data. |
Actually I am having some second thoughts! Figure 4 in the RFC shows
[Application data] being sent from the Server to the Client (presumably in
response to the early data sent from Client to Server), just before the
client sends (EndOfEarlyData) from Client to Server.
Now the square brackets around [Application Data] indicate that it is
encrypted using keys derived from the application traffic secret. But this
secret requires the transcript hash. Which means that EndOfEarlyData cannot
be included in that hash as it hasn't been sent yet.
Its all very confusing...
Mike
…On Sun, Jan 17, 2021 at 9:54 PM Nico Schmidt ***@***.***> wrote:
You are right. I am reading the RFC the same way. Thanks for bringing this
up. I was aware that early data wasn't working correctly, but hadn't found
a good way to debug this. All test installations of TLS 1.3 servers I have
tried didn't support early data.
I am currently looking into this.
Thanks again.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#14 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU3ZDUUMLRSCHQ3QGSOC73S2NMAPANCNFSM4WGCVFXA>
.
|
Right. My current interpretation is that the server and the client application traffic secrets are created at different points in the handshake. That means the server transcript hash does not have the end-of-early-data message in its hash, while the client does. |
No, that was not right. On page 92 of the RFC it says both the client and the server application traffic secret are including all handshake messages up to the server finished. |
I have now enabled the test server to send early data responses. I think the early data handling is working correctly. Maybe you want to have a try with your client. |
Hello Nico,
Yes! that works fine. My client first does a handshake retry (as you don't
do X25519?), and then tries a session resumption with early data. And the
server responds to that early data.
Thanks for doing that, it is not easy to debug a tls1.3 client.. Here is
the debug output of my program (its a bit big, feel free to delete this
message if you want)
Mike
Hostname= swifttls.org
ip= 109.74.204.5
Private key=
0x0170a7e6c297fc8026ae8072c62596273bfa792879716e3d9f9c518384efae97
Client Public key=
0x402a2d7a1ca22eac2a3ab843c7a12a12343e85ce545c190a50fe8b5a1dc4ec15
Client to Server ->
16030100bf010000bb0303b39355382dcd121e82437b9e0f1072f0f3698fba2281672931b0a94be2653be7200403f3756202316ccebcb64486be4f0d84d1c62e14b21ad9d9f19560265e4b430004130113020100006e00000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300260024001d0020402a2d7a1ca22eac2a3ab843c7a12a12343e85ce545c190a50fe8b5a1dc4ec15002d00020101002b0003020304
Client Hello sent
Server Random=
cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c
Handshake Retry request!
Cipher suite= 1301
tls version= 0304
Key Share = 0017
Server HelloRetryRequest= 88
020000540303cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c200403f3756202316ccebcb64486be4f0d84d1c62e14b21ad9d9f19560265e4b43130100000c002b00020304003300020017
Client to Server ->
16030300e0010000dc0303a53891fa90aeac927e3686c11ffdcc643c56f116720d91e8af32b1cf245c538220ccf155d37563cf2191541e022a2c06ad8c80728d71bf3b30c9ce0eb34e26e1920004130113020100008f00000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300470045001700410425f14ba23afb40bbccabcf620ac7c285fd41d0f210910162fb64d09e52c122fc7130a2deea33293770c637199f4edea075057b1e7acef45462d0d8a566b1fed3002d00020101002b0003020304
Server Random=
25b719a5c29b7d78cfc7bf9ec6e17cdb1cc8e30e7ec9c771c4db0fd8c7bb5a7e
Cipher suite= 1301
Key Share = 0017
Server Public Key=
04c00a53ca002cfed1d72c727800da9497d34ac44bee21543fed03425137c7929666ce15c3f74fef4a8de949fb969cd12068f68cc87426ea45a22373ed71a55df3
tls version= 0304
Server Hello= 155
02000097030325b719a5c29b7d78cfc7bf9ec6e17cdb1cc8e30e7ec9c771c4db0fd8c7bb5a7e20ccf155d37563cf2191541e022a2c06ad8c80728d71bf3b30c9ce0eb34e26e192130100004f003300450017004104c00a53ca002cfed1d72c727800da9497d34ac44bee21543fed03425137c7929666ce15c3f74fef4a8de949fb969cd12068f68cc87426ea45a22373ed71a55df3002b00020304
SECP256R1 Key Exchange
Shared Secret=
8036b974c2bcf5130db585ad55c3f66aa83785c9775e22bdcdf3332d34ec1dc0
Handshake Secret=
da45dee93ee938d89a2dddfbd40bfbc88cf909bd8641c6e508829f57794f2eae
Client handshake traffic secret=
cba5cb38a4d397bae7213b195363f22ebec56ae0408e4a2b9df823f6c2760473
Server handshake traffic secret=
1131f1572fe474c7e636223a7a169d79c771f9bbb3c28a8a7f5bcfe3fc49ee19
Server fragment authenticates 19
12 padding bytes removed
Length of Encrypted Extension= 0
Server fragment authenticates 2570
12 padding bytes removed
1. Transcript Hash=
b67be3f4f3afc7e0073d299e9cf45ad2fa81e3bad96cfde4d2096b3ec0072c4f
Server certificate
Signature is
4384d802a2bef1d6c17cce6d89996421015bc7dce12ee85dac5868ffc21d537f062fbb8e6fba1f4a5838ec3125f0941403baf420f3aa50ff2725ea90a7d8686c569827bb1d5cb2262732d7edf1e8f8f6676c861fee8de070396a6cfe644566fc339d18c8ef08eb83b739ddddd08a8c31bc6630e7be9a069b374c925a061cb094ad25ad1053ea6f6db32b08a7282904cbc793fc595948927fb89d4b8f22d5d58346e5739033d3e103d9ea5dd97a43a3317f526b0b4191d5359411574fb03453c8535a3714d6f1aa2e802c56370aa294396b63ac4927999e745c66547960dfd9cecb7f440003149f23c6e1fd1869d4e243aa7ad645a2af4bba2507bac6efa47378
RSA signature of length 2048
Public key= 256
c31a51649a342aeccaf7dd9475d01a634fb482990d1326ff301ff1fdd0afff5c781355c01bd47899299b74c598be6d9f53edab93ca4e377bcc9965334a54b6637978f22ccdb9844e5e2e9ae78b748c467c9650f265b6ecbd8519f5e8dcf872fe36eb013fbee548ca41369f8fc28e93c086bfe043e6458c8fadb881867dc002efe008a329522e16c6f8e465288b038d8b42dbd084e4345f3b6262203e3a4d46f38232644167f3ecdf587b53986ea75826a6a92509da3e04d409d7fca7acbc51ae66265bac960b3d2b808c3f88812de85f3fff95aa86e725a369356374797a432ca92235b50f4966d5ec9da61e7c9f2827d3ee049de45897548e19f6b390d40e2d
RSA public key of length 2048
Issuer is Let's Encrypt Authority X3
Subject is swifttls.org
st.curve= 2048
SIG= 256
4384d802a2bef1d6c17cce6d89996421015bc7dce12ee85dac5868ffc21d537f062fbb8e6fba1f4a5838ec3125f0941403baf420f3aa50ff2725ea90a7d8686c569827bb1d5cb2262732d7edf1e8f8f6676c861fee8de070396a6cfe644566fc339d18c8ef08eb83b739ddddd08a8c31bc6630e7be9a069b374c925a061cb094ad25ad1053ea6f6db32b08a7282904cbc793fc595948927fb89d4b8f22d5d58346e5739033d3e103d9ea5dd97a43a3317f526b0b4191d5359411574fb03453c8535a3714d6f1aa2e802c56370aa294396b63ac4927999e745c66547960dfd9cecb7f440003149f23c6e1fd1869d4e243aa7ad645a2af4bba2507bac6efa47378
RSA PUBLIC KEY= 256
9cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc393
Checking RSA Signature on Cert 32
RSA Signature/Verification succeeded
Intermediate Certificate Chain sig is OK
Intermediate Certificate
Signature is
dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442
RSA signature of length 2048
Public key= 256
9cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc393
RSA public key of length 2048
Issuer is DST Root CA X3
Subject is Let's Encrypt Authority X3
Public Key from root CA cert=
dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d
st.curve= 2048
SIG= 256
dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0c90244a787afc3345bb442
RSA PUBLIC KEY= 256
dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d
Checking RSA Signature on Cert 32
RSA Signature/Verification succeeded
Root Certificate sig is OK!!!!
Certificate Chain is valid
Server fragment authenticates 277
12 padding bytes removed
2. Transcript Hash=
4066ae522e25e1f3390035572764a45c915bc91d9160c54ee207e074dbfecd2b
Signature Algorithm= 0804
Server Certificate Signature= 256
088f09c7f83826d0bbd5f22d101d5b7afb6dd0de4f055aad59339837bd59d0b8d25d9c028d94d27e002c187d39abd25f5975048c58303516e6000e7072a57184db619ed10d4499afc323183d6d3f61bea3b04d2eb911b24a0316d189b476935c8b23f70c48b1eb023f49e2567070510683391b027274c287969aee5b22aed5beca310411def6dc3f6c90f2bba3523ac64f5cd1333fb76f0a14ccb360c6ff09ce2b5bde17e1ab5439249119a7a12bf3580d74c8be44c643e29c713cb162edd7b80c44c9c62cae6e3337ae4dd1eafab891f60fba0ef9aa800b1dd72767dade21a2fb5793406325ba5c508361985baef8caa1931e304f37c7d8cf333adc4e6dcc3c
Server Cert Verification OK
Server fragment authenticates 49
12 padding bytes removed
3. Transcript Hash=
a0630db59fb4293004025289f57c5a962e84011fa37586d6a48fb382b4ac4ba5
Server Data is verified
Client Verify Data=
b820d6c371057bfa7614be2b3e1a81715b224e399ba06e2d17e1b8299ca365d5
Client to Server ->
170303003583892348b3e61be337bcf591045e4bda4211e7b776fb5eca881b94eda44b4a07968a5ef1808d0c2e6f7095826a0709d7e7275688a1
Client application traffic secret=
60fc7bb14ccc33d606a17070310c36c7a12740c1402b174acfc82eac8c89ae42
Server application traffic secret=
1c5107e3696b9bf963b9536f8969d6975b06a7d14ac867ca441bc41b89c34af3
Sending Application Message
GET / HTTP/1.1
Host: swifttls.org
Client to Server ->
1703030037b9439dae723e8424b35a3bdcfec7eb591c91e13c93ec79857de56a7c0c23cce1cc0f03eb6dce3e5b6ef4073b590c275289cb7b6ba152b1
Waiting for Server input
Server fragment authenticates 71
12 padding bytes removed
Got a ticket
Waiting for Server input
Server fragment authenticates 439
12 padding bytes removed
Application data (truncated HTML) =
485454502f312e3120323030204f4b0d0a5365727665723a205377696674544c530d0a5374726963
Waiting for Server input
TIMEOUT
Connection closed
Connection re-opened - attempting resumption
Ticket=
00000e106744dbcb010000200abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a870008002a00040000a000
Ticket details
life time t= 60 minutes
Age obfuscator = 6744dbcb
Nonce = 00
Ticket = 32 0abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a87
max_early_data = 262144
PSK= 5fb6ba90e449a650708808bbbab2c74ce98b38466f5ceade2e116b06d1d931dc
Binder Key= 32
829d4638e61c08b104d0b719c3facfc4fe6b86fb6a593a94428d770811ed4c2c
Early Secret=
1e25202ad4fd112ddcd1e26a111ed364750008dcf4212964c10e840d546221c4
Private key=
0x029c2115657b5a952f19832b3219c1c5a7a97837c05c25609de1396e36984a4e
Client Public key=
0x0438ecb199120283ec3b042a1ab73809f16c70ab1ce847de1820c0e9e3cb1a1c5a53db00dd1a437ad179658a323046290c483090cbedffac78aa983ab2d760ccfb
Ticket age= 5114
obfuscated age = 6744efc5
Client to Server ->
16030301100100012f030390e07db6edc69224d4e994fd35a599c770f669d39e13a35535c7117db12a322b20a22864e5d2dfe705e4dc243ad226de8a40f9177bd18487e29b82420a692bd594000413011302010000e200000011000f00000c7377696674746c732e6f7267000a00080006001d00170018000d0012001004030804040105030805050108060601003300470045001700410438ecb199120283ec3b042a1ab73809f16c70ab1ce847de1820c0e9e3cb1a1c5a53db00dd1a437ad179658a323046290c483090cbedffac78aa983ab2d760ccfb002d00020101002b0003020304002a00000029004b002600200abe1a546444a65a14c7830692fae3ebce299bc64867bd51267aff337ca92a876744efc5
Truncated Client Hello sent
BND= 31a541997912f40cc9fe8f49025c502703c5b4d696157170131f1769d3eb6cce
Sending Binders
Client to Server ->
160303002300212031a541997912f40cc9fe8f49025c502703c5b4d696157170131f1769d3eb6cce
Client Early Traffic Secret=
97e8449a134b83da2b0bdb0a707e94863c77c1c5e5d875658dd93dbf66b49cc6
Sending some early data
Sending Application Message
GET / HTTP/1.1
Host: swifttls.org
Early-Data: 1
Client to Server ->
1703030046172444fd421667c98331214406aa92aab2aa0881b0ed3f6d6cd8efac39d934916becf0484583d6be2a77ddb7ab8b4b0efa999de3d7403caa1f4606138f466f8b6f29c478ee09
Server Random=
25b719ab8881259c48a8a3daa286c670af6136f8c8f349ee6e4921eaf24c7159
Cipher suite= 1301
Key Share = 0017
Server Public Key=
04dcada67f3bd198125448491ea968e62780f57b3958ac4b83e6660889ffb7a5f72471125886cef75e7a9bda115d24c9dfcf4bb13dae86bd16421f7746b43898c5
tls version= 0304
PSK ID= 0
serverHello= 161 0
0200009d030325b719ab8881259c48a8a3daa286c670af6136f8c8f349ee6e4921eaf24c715920a22864e5d2dfe705e4dc243ad226de8a40f9177bd18487e29b82420a692bd5941301000055003300450017004104dcada67f3bd198125448491ea968e62780f57b3958ac4b83e6660889ffb7a5f72471125886cef75e7a9bda115d24c9dfcf4bb13dae86bd16421f7746b43898c5002b00020304002900020000
SECP256R1 Key Exchange
Shared Secret=
c21695de18de72e4fe594ee2181eba8154e0fff1b174923419689a0b9ca125bf
Handshake Secret=
df4661dab16a7fc1196c36d5b5fe0401fd0172c155cf2d9792a323217a92063c
Client handshake traffic secret=
60be4bc5d462a698ac6ed5a945475be82031d7bebddb8d42f319097220206343
Server handshake traffic secret=
9d49d960ec385693dfdf4d88d3694860d7c5ea470fccc546ebb93723302cce70
Server fragment authenticates 23
12 padding bytes removed
Length of Encrypted Extension= 4
Early Data Accepted
2. Transcript Hash=
d8233d93154ccedae45361a21acac29d6a244725da4cae02fc144dc0e0f2f07d
Server fragment authenticates 49
12 padding bytes removed
SR.len= 0
Send End of Early Data
Client to Server -> 1703030015d38f7638b857d65b4d9effa317871ae933287f46e6
3. Transcript Hash=
9045833c8871f10c44b57bcf910f06848a6096c0d239fb58b4b2f143654b2c75
Server Data is verified
Client Verify Data=
769d0ef3c6f22489319170b2c94aada4ae95aa34b2c88bb66c9ced47714c1d01
Client to Server ->
170303003504ea1fea838213f765597c5a571b099e4d48aeefdee74a412af4e8278825d74d08ac28a118d55168f35d2a6efd9d78038ed56287d1
Client application traffic secret=
f62386365f4f06dc25d218b7aa86f6b58fc6346742c4bfd6ce108eaa9fcba925
Server application traffic secret=
42cd9298d5d384e1297ee33e12e04601ca6f8eb022d98ec23446d97bb0658243
Waiting for Server input
Server fragment authenticates 740
12 padding bytes removed
Application data (truncated HTML) =
485454502f312e3120323030204f4b0d0a5365727665723a205377696674544c530d0a5374726963
<-- Response to Early Data!!!
Waiting for Server input
Server fragment authenticates 71
12 padding bytes removed
Got a ticket
Waiting for Server input
TIMEOUT
…On Tue, Jan 19, 2021 at 1:14 PM Nico Schmidt ***@***.***> wrote:
I have now enabled the test server to send early data responses. I think
the early data handling is working correctly. Maybe you want to have a try
with your client.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#14 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU3ZDRBVMZKWPDEXNXRQELS2WASTANCNFSM4WGCVFXA>
.
|
Hi Mike, I guess this is the log from your request (the only one with early data): Client Request: 2021-01-19 13:44:11.766 (~427): Error: Socket Closed serverNames: ["swifttls.org"] Client Request: 2021-01-19 13:44:12.407 (~428): Server: sending 727 bytes of early data |
:-) Tell me about it. Took me a long time, too. With the more subtle bugs, I had a working implementation running on the other end (like OpenSSL or something) and littered it with debug logs to see why it wasn't accepting my input. |
Will do. Yours is the most developer-friendly implementation I have come
across..
BTW if you want to consider an alternative Swift crypto library (that does
do X25519!), check out https://github.com/miracl/core :)
Mike
…On Tue, Jan 19, 2021 at 8:24 PM Nico Schmidt ***@***.***> wrote:
it is not easy to debug a tls1.3 client
:-) Tell me about it. Took me a long time, too. With the more subtle bugs,
I had a working implementation running on the other end (like OpenSSL or
something) and littered it with debug logs to see why it wasn't accepting
my input.
Feel free to use my server locally :-)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#14 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU3ZDRGNRVECMWWSEBUAS3S2XS7TANCNFSM4WGCVFXA>
.
|
Thanks. It is nice to hear that it is useful to you :-)
Cool, I will take a look. |
I am testing my TLS1.3 client against swifttls.org, in particular 0-RTT on session resumption. It works OK if I calculate the application keys based on a transcript hash taken over everything up to and including Server Finish. But it does not work if I include the end-of-early-data message in the transcript hash. My reading of the RFC would indicate that it should be included?
The text was updated successfully, but these errors were encountered: