Welcome! Log In Create A New Profile


Compatibility of X25519Kyber768 ClientHello

Gentry Deng via nginx
October 09, 2023 11:56AM

I recently encountered a compatibility issue with X25519Kyber768
https://bugs.chromium.org/p/chromium/issues/detail?id=1484074: I was
unable to access the site via X25519Kyber768-enabled Google Chrome on a
server with only TLS 1.2 enabled, but not TLS 1.3.

The Chromium team replied:

> Regarding TLS 1.2 vs TLS 1.3, a TLS ClientHello is generally good for
> all the parameters we support. So though we include TLS 1.3 with Kyber
> in there, we also include parameters for TLS 1.3 without Kyber and TLS
> 1.2. So if the server and network well behaving correctly, it's
> perfectly fine if the server only supports TLS 1.2.
> I'm able to reproduce the problem. It looks like a bug in
> www.paypal.cn's server. They didn't implement TLS 1.2 correctly.
> Specifically, they do not correctly handle when the ClientHello comes
> in in two reads. Before Kyber, this wasn't very common because
> ClientHellos usually fit in a packet. But Kyber makes ClientHellos
> larger, so it is possible to get only a partial ClientHello in the
> first read, and require a second read to try again. This is something
> that any TCP-based application needs to handle; you may not have
> gotten the whole message on a given read and need to keep on reading.
> www.paypal.cn will need to fix their server to correctly handle this case.

So the Chromium team isn't considering making a change, so I'm wondering
how compatible nginx is with this? Or what version is needed to make it
error free?

Best regards,

nginx mailing list
Subject Author Posted

Compatibility of X25519Kyber768 ClientHello

Gentry Deng via nginx October 09, 2023 11:56AM

Re: Compatibility of X25519Kyber768 ClientHello

Maxim Dounin October 09, 2023 02:04PM

Re: Compatibility of X25519Kyber768 ClientHello

noloader October 09, 2023 02:48PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 213
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready