-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify Version Negotiation after Crypto Failure #1069
Comments
In theory, you can't hit a crypto failure -- if the version is unknown, you have no data about what packet protection might have been used on the payload, let alone key selection. If the version number is unknown, you have no reference point to interpret any field outside the invariants. |
@MikeBishop yes, you are right in theory. But in practice I just tested that two implementations out of 10 got it wrong, so I suspect we need to be a bit more explicit. |
Section 7.2.1 seems to already discuss this. It sounds like the problem is that people are jumping directly to decrypting and missing the discussion of determining whether the version is appropriate. I think Section 7 is evolving in a direction of an overall "how to process incoming packets" flowchart -- maybe that's the needed clarification. |
@huitema, do you think that the new text in Section 7.1 helps here? If not, perhaps you could recommend some text to add (and the appropriate location for that text). |
Section 7.1.2 says: If a server receives a packet that has an unsupported version and sufficient length to be an Initial packet for some version supported by the server, it SHOULD send a Version Negotiation packet as described in Section 7.2.1. Servers MAY rate control these packets to avoid storms of Version Negotiation packets. That's good, but I would add a specific caveat. "Packets from different versions may use different parameters when computing clear text packet protection per [some appropriate ref to the TLS draft]. Servers who do not support a particular version will not be able to decrypt the content of the packet. They still SHOULD send a Version Negotiation packet, as long as the message has a sufficient length." |
This is apparently a common failing in server implementations. Closes #1069.
During the recent interop tests, we have seen a number of version negotiation failures, which goes like that:
some version dependent "cleartext key" -- note the same a specified in draft-08.
The TLS spec seems unambiguous:
The salt value is a 20 octet sequence shown in the figure in hexadecimal notation. Future
versions of QUIC SHOULD generate a new salt value, thus ensuring that the keys are different
for each version of QUIC. This prevents a middlebox that only recognizes one version of QUIC
from seeing or modifying the contents of handshake packets from future versions.
Yet, several implementations missed that. Is the spec clear enough?
The text was updated successfully, but these errors were encountered: