Potential of including TLSv1.3 support in Bro 2.5

I just finished a branch that adds support for TLSv1.3 to Bro (branch
topic/johanna/tls13, important commit:
https://github.com/bro/bro/commit/fdef28ce7c3455d43267ab07dbb8ad96c9ea3890).

What do people think of the idea of adding that patch to the upcoming Bro
2.5 release?

I know that we are quite late in the current release process and that we
should not really make any feature changes after releasing the beta. It
would, however, be neat to be able to support TLSv1.3 starting the moment
that people actually start to use it; without that support, we will only
have empty lines in ssl.log for these connections. Furthermore, the
changes that are needed to support TLSv1.3 have nearly no interaction with
the code that is used to parse earlier versions of TLS. Even if there are
problems with the code (or if the on-the-wire format still changes), the
only thing that should happen is that binpac throws errors. Which is
exactly what already happens now when throwing TLSv1.3 sessions at the
current master versions of Bro.

Thanks,
Johanna

What do people think of the idea of adding that patch to the upcoming Bro
2.5 release?

I like the idea! +1

Jan

I think the current feature freeze is a self-imposed limit out of coding discipline - but it ok to make exceptions. Esp since 2.6 would be long way away.

Risky as it is, It seems like inclusion of this code isn't going to cause any significant problems. FWIW, I can run this branch on my end for until release happens.

Aashish

I would be happy if you test this branch - however, you are actually unlikely to trigger the new code paths. TLS 1.3 is still in the development stage, so much that I doubt that you will even encounter a single connection that uses it. At the moment, you have to enable it by hand in the development edition of browsers, and more or less compile your own server that is able to speak it.

(That being said, I am quite confident the on-the-wire format won't change significantly enough anymore that the new analyzer won't be able to parse it.)

Johanna

Well, I should point out that Cloudflare enabled it a couple of weeks ago: https://blog.cloudflare.com/introducing-tls-1-3/

I was able to connect with my usual browser and grab a PCAP (after setting the option in about:config). It seems to run just fine against the branch (attached, in case it’s of any use).

Is there any way to detect TLS 1.3 with git master? I wouldn’t expect to see any, but I’ve been surprised once or twice before. I ran the PCAP against master, and while I did get an ssl.log, I didn’t see anything in there that would indicate it’s TLS1.3.

–Vlad

tls13draft16-firefoxdevedition51.0a2-cloudflare.pcap (117 KB)

Yeah, indeed. I just looked over the changes, they look fine and
rather unobtrusive to me (not that I would know TLS 1.3 :). I'd be
fine with merging as well, given that we'll need another round of
testing anyways with the SMB updates, so the TLS code will see some
more exercising (for regressions at least) then as well. Unless I hear
objections, I'll go ahead and merge.

Robin

Well, I should point out that Cloudflare enabled it a couple of weeks ago:
https://blog.cloudflare.com/introducing-tls-1-3/

You actually got that to run? I did not manage to get any client to successfully negotiate TLS 1.3 with them and set up my own server in the end. But perhaps they updated in the last few days...

I was able to connect with my usual browser and grab a PCAP (after setting
the option in about:config). It seems to run just fine against the branch
(attached, in case it's of any use).

Is there any way to detect TLS 1.3 with git master? I wouldn't expect to
see any, but I've been surprised once or twice before. I ran the PCAP
against master, and while I did get an ssl.log, I didn't see anything in
there that would indicate it's TLS1.3.

Well, it will show up as a binpac error while parsing a specific TLS message. Not the best way to do it :wink:

Johanna

As a follow-up: since all responses were positives, I filed a
merge-request for this and it should (hopefully) make it into 2.5.

Merge-request for those who want to follow it:
https://bro-tracker.atlassian.net/browse/BIT-1727

Johanna