I can Haz TLS 1.3 ?

Everybody wants to be able to use TLS 1.3. Among the reasons are:

  • It’s faster – being able to reconnect to a server you’ve previously used, and saving a full round-trip latency is impressive. 
  • It’s more reliable – the protocol has been cleaned up and simplified. For example, the related concepts of sessions, tickets, and pre-shared keys are merged and treated consistently. To a protocol designer, it is much more elegant, and therefore much easier to implement 
  • It’s more secure – Many world-class cryptographers have been involved in the protocol design, analyzed it, and tried to break it.

TLS has been in the “last call” for several weeks now.  What does that mean, and what’s holding it up?

The IETF is the organization that defines most of the standards that define how the Internet works. They cover everything from naming (DNS) to routing around firewalls, up to and including HTTP. The documents, known as RFCs, are created by working groups, passed to a steering committee for review, and then published as “Internet Standards.”

Participation in a working group (WG) is, by design, very easy and not a lot of overhead.  You just have to join a mailing list.  Every WG has a mailing list and there are currently more than 110 working groups hosted at the IETF. Each one has a status page, that shows their charter (what they are working on), the current set of documents, and pointers to the mailing lists.  For the TLS working group, that page is at https://datatracker.ietf.org/wg/tls/documents/.

Future RFC’s start as Internet-Drafts. Each draft usually goes through multiple revisions, as the working group members comment on it, other feedback is addressed, and so on.  At some point, the authors or editors will post a new draft.  By convention, every working group draft is named “draft-ietf-{WGNAME}-{subject}-{nn}” where {WGNAME} is the name of the working group, {subject} is the name of the document, and {nn} is the revision number.  For example, “draft-ietf-tls-tls13-21” is the 21st draft of the TLS 1.3 specification from the TLS working group.

The following diagram shows the flow as a set of stages. At any point, the subsequent reviews can send the document back to the first-two states, requesting major or minor changes.  From start to finish, the process usually takes one-half to many years.

 When the working group thinks a document is done, it enters WGLC, working group last call.  This period, usually lasting a couple of weeks, is the last chance to make editorial or serious factual fixes.  Since most people are deadline-driven, this is usually when many on the WG wake up and read the drafts. After WGLC, it goes to the IESG (the Internet Engineering Steering Group, basically technical leadership of the IETF) for review.  As I said, TLS 1.3 has been in WGLC for weeks.  So why can’t we use it yet?

First, the different drafts don’t interoperate. Each represents a different milestone on the way to the full specification, and a flag in the header identifies which draft is being used. OpenSSL, used by most of the servers on the Internet, is currently at draft-21. (Akamai funded the OpenSSL work, as discussed previously in https://blogs.akamai.com/2017/01/tls-13-ftw.html.) Chrome and Firefox, two of the most popular browsers on the Internet, are staying at draft-18; they don’t want to upgrade until we have the final version. (I think that’s silly, but I don’t work for either browser.)

Tests run by various companies, including Google, Mozilla, and Facebook, indicate that the “failure rate” of TLS 1.3 is too high – ranging from minimal to 3.4%, depending on who is doing the testing and how they are doing it. It appears that network hardware such as routers, gateways, load balancers and the like, are blocking TLS 1.3 packets because they don’t recognize the protocol. They are doing “fail closed” and block the connections because they don’t understand it, rather than assuming it’s safe to forward. The IETF often uses the term “middlebox” to describe such hardware that operates between endpoints, and this type of behavior that blocks new protocols as “ossification.”  The various companies, and no doubt others, are trying experiments to tweak the protocol to lower the failure rate. For example, in some circumstances it might be acceptable to make a TLS 1.3 message look like a TLS 1.2 message (after you’ve already committed to doing TLS 1.3).

There are no additional public details yet. When available, they will be on the TLS-WG mailing list, which you can find at the page I referenced above. Until then, because of the draft differences, it’s can be difficult to run even limited deployment tests unless you’re willing to work with bleeding edge releases and undocumented flags. That’s unfortunate, and we all hope that the situation will be improved by the next IETF meeting in November.

If you’re a developer, you can download and build OpenSSL and try its client/server programs on different machines in your network going through different pieces of network hardware and post your results to the mailing list.  That is a lot of work, not everyone can do it, nor get approval to make public statements.  Until then, we encourage everyone to test interop with the current draft, and participate and watch what’s going on in the standardization process. An upcoming blog post will explain how customers can enable TLS 1.3 for testing and what our plans are for enabling this in full general availability.


This is a Security Bloggers Network syndicated blog post authored by Rich Salz. Read the original post at: The Akamai Blog