-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application Data Records in the TLSv1.3 Handshake? #17654
Comments
TLS 1.3 encrypts most of the handshake, see https://datatracker.ietf.org/doc/html/rfc8446#page-11 with the legend that |
Its a TLSv1.3 protocol thing. Records now have an "outer" and an "inner" content type. As soon as records start getting encrypted (which is early in TLSv1.3) the "outer" content type gets set to "Application Data". The "inner" content type tells you the real content type of the record - but this is encrypted and not visible to a passive observer. |
Thanks for the quick reply @kaduk and @mattcaswell! Now things make more sense to me. Just for curiousity: was the "Application Data" type chosen deliberately to prevent stupid middleboxes from tampering with the content? |
A new content type would almost certainly break middleboxes, though I don't know if we explicitly tried it. We even played with a smaller, two-byte header (version and content type are a waste of bytes), but that one we experimentally confirmed breaks middleboxes. That leaves always using application_data (making the handshake confusing) or always using handshake (making application data confusing). TLS 1.3 went with the former. Dunno whether handshake would also have gotten through middleboxes, but it's mostly an arbitrary choice. |
Thank you all for your enlightening replies! |
Postscript: indeed, the RFC explicitly states on page 81 that the record type was chosen for compatibility reasons with middleboxes:
|
Why does TLS1.3's 0x17 Application Data also need an Outer wrapper? Application Data is already an "Application Data" and should not require a TLS1.2 Outer wrapper. Sorry to ask that in this Issue. I didn't find the relevant question online, only this Issue has enough context :) |
TLSv1.3 can send alerts, handshake messages or application data all with the same application data outer content type. You need an inner content type to determine which one it really is, even for application data. |
The outer content type is a compatibility hack were stuck with, sadly. Most of the header in an encrypted TLS 1.3 record is vestigial. Folks considered a short record type during TLS 1.3's development, but it broke too much network middleware, which would try to parse the record headers. |
Some days ago a colleague confronted me with an interesting TLS problem: After switching the libssl library from 1.0.2 to 1.1.1 he encountered the issue that immediately after the SSL_connect() his previously working code now blocked in an SSL_read_ex() call, even though a preceding select() call had just returned marking the socket as readable. After some research, I found out that part of the problem was that the
SSL_MODE_AUTO_RETRY
mode is enabled by default since 1.1.1, which hadn't been the case previously. Disabling the mode and handling theSSL_ERROR_WANT_READ
errors correctly fixed his problem.What astonished me during my investigations was the fact the problem occurred only with the TLSv1.3 protocol and that the blocking was caused by TLS Records marked as 'Application Data' which were transmitted as part of the initial handshake. (The TLSv1.2 exchange contains only 'Handshake' and 'Change Cipher Spec' records.) Those 'Application Data' records seem to play a special role, as they are generated and consumed by the libssl library and are not handed to the application. Can anybody of you tell me what those records contain and why they are marked as 'Application Data' even though they are not intended for the application? I know that the RFC allows optional application data during the handshake, but I couldn't find any specific information about the possible use cases.
Regards, and thanks in advance,
Matthias
Below you find an outline of a simple Handshake (a little C client calling
SSL_connect()
against anopenssl s_server
, both running on localhost), recorded with tshark, the little command line brother of wireshark. (The full transcript is contained in the attached files tls13-connect.txt resp. tls12-connect.txt, see links below.)TLSv1.3 Handshake
grep -e 'Transport Layer Security' -e 'TLS.*Layer:' -A 4 tls13-connect.txt
TLSv1.2 Handshake (SSL_connect() against 'openssl s_server')
grep -e 'Transport Layer Security' -e 'TLS.*Layer:' -A 4 tls12-connect.txt
The text was updated successfully, but these errors were encountered: