Change https://golang.org/cl/246337 mentions this issue: crypto/tls: support post-handshake client authentication

I tried to implement the post-handshake authentication for the TLS 1.3 client. The change above supports at least the server configuration from the issue.

The change is just a draft right now. It does not contain any tests, probably breaks tests, and blindly indicates support for post_handshake_auth. However, it is useful to see which areas are a bit difficult to deal with right now:

• The code for sending Certificate, CertificateVerify and Finished needs to be called from Conn
• The transcript of all handshake messages needs to be available from Conn. Right now, it is just available from clientHandshakeStateTLS13

Thank you for this question @skyfmmf and welcome to the Go project!

Kindly ping some cryptography experts @katiehockman @FiloSottile to take a look.

Thoughts, @FiloSottile ?

Ping, @FiloSottile

It would be useful to know how commonly required this is. I assume web servers do this when in TLS 1.2 they would have asked for a renegotiation?

The main complexity costs of this would be:

1. keeping handshake state past the end of the handshake
2. on the client, invoking GetClientCertificate after the end of that handshake, which might be unexpected by the application
3. on the server, exposing a whole new API

It's unlikely we'll implement this on the server side unless it's a very common request. On the client, we can consider it, like we did for (sigh) renegotiation. I wonder if (1) would affect every connection or if the server acknowledges interest in post-handshake auth.

Yes, in the place where we now see a request for PHA, with TLS 1.2 the server asked for a renegotiation. Renegotiation support in the TLS 1.2 client is also opt-in in Go, if I am not wrong? So this opt-in behavior is what you could imagine for PHA in the TLS 1.3 client as well?

For the client side, at least Apache considers it a client bug not to support PHA (https://bz.apache.org/bugzilla/show_bug.cgi?id=62975). As it affects some connections to the commonly used Apache httpd, I think PHA on the client side may be a common requirement. On the server side, I do not know, how commonly required it is.

I do not recall if the server in any way indicates that it supports PHA in the handshake, but I will check it later on. At least the RFC does not sound like the server would acknowledge the indicated client support.

Considering it a client bug seems excessive. It is definitely not a mandatory extension. https://tools.ietf.org/html/rfc8446#section-9.2

Chrome has not implemented it and Firefox gated it behind the off-by-default security.tls.enable_post_handshake_auth setting. https://bugs.chromium.org/p/chromium/issues/detail?id=911653#c4

The main problem with it is that it is a layering violation if it's not tightly integrated with the application protocol (like in HTTP/1.1) or if the application protocol is multiplexed (like HTTP/2). Indeed, there is an RFC forbidding its use with HTTP/2. https://www.rfc-editor.org/rfc/rfc8740.html

I don't think this is something we'd want to implement, since it seems it has a complicated deployment, compatibility, and safety story. I believe there are other efforts to bring post-handshake authentication to HTTP/2, although I have not checked in on them in a while.

I totally agree that considering it a client bug is a bit too much, given that it is not mandatory to implement.

I was not aware that the browsers mostly do not implement PHA. However, I would argue that web browsers are not generally the best reference when it comes to TLS client certificate support. I see client certificates more in use with machine-to-machine communication over HTTPS.

As PHA is standardized and used by at least one common server implementation, I still see that it could be relevant to implement the client side. To me it appears to be less of a mess and security issue than renegotiation. But I also understand that it is not a universally needed feature that adds complexity to the implementation and may therefore not be desired. Maybe we can wait a bit to see if there are further requests to implement it?

I agree client certificate support is probably more relevant to us than to browsers, but I'm not sure that extends to PHA. Most of the times client certificates are used in mTLS configurations where a certificate is negotiated at handshake time.

It is definitely less of a mess than renegotiation, but I still don't think it carries its own weight, due to the HTTP/2 incompatibility. Since applications already have to disable HTTP/2 if they want these semantics, they might as well also disable TLS 1.3 for now.

Happy to put this proposal on hold to collect further requests and gauge interest.

Placed on hold.
— rsc for the proposal review group

Ran into the same issue today. I was able to work around this, by forcing TLS 1.2 for now, but it would be great to use TLS 1.3 as well. So I'd gladly add my "+1" to the requester list.