go icon indicating copy to clipboard operation
go copied to clipboard
verified publisher icon cloudflare

Implement TLSFlags extension

Open jhoyla opened this issue 2 years ago • 5 comments

This PR implements the first half of the TLS Flags extension.

jhoyla avatar Aug 07 '23 20:08 jhoyla

It needs some tests.

bwesterb avatar Aug 07 '23 20:08 bwesterb

Another high-level question: How does this interact with ECH?

Very good question.

bwesterb avatar Aug 07 '23 21:08 bwesterb

Added code for server side. Tests to come tomorrow.

jhoyla avatar Aug 07 '23 23:08 jhoyla

Another high-level question: How does this interact with ECH?

1. Is the the extension present in both the inner and outer handshake?

2. If so, should it appear only in the inner handshake?

Currently the extension will be added to the inner handshake only: https://github.com/cloudflare/go/blob/cf/src/crypto/tls/ech.go#L81-L85

Only specific extensions are copied into the outer handshake: https://github.com/cloudflare/go/blob/cf/src/crypto/tls/ech.go#L92-L106

In my opinion, this is the correct behavior, assuming conservatively that the value of the TLS flags extension is privacy sensitive: https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.html#name-outer-clienthello

Note that since it appears in the inner handshake, it will be used by the server to terminate the connection. OTOH, if ECH is rejected, then it won't be used by the server to terminate the connection.

cjpatton avatar Aug 08 '23 16:08 cjpatton

(Rebased on the cf branch based on Go 1.21.1, no other changes.)

Lekensteyn avatar Sep 19 '23 16:09 Lekensteyn