Re: [bfcpbis] TCP/TLS: Who is TLS server when the connection goes down and is re-established?

Christer Holmberg <> Tue, 21 January 2014 01:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 713C61A027A for <>; Mon, 20 Jan 2014 17:21:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c2ybmnfSPtTq for <>; Mon, 20 Jan 2014 17:21:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F3F5C1A0002 for <>; Mon, 20 Jan 2014 17:21:45 -0800 (PST)
X-AuditID: c1b4fb2d-b7f1c8e000005ceb-6e-52ddcba99863
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 46.FF.23787.9ABCDD25; Tue, 21 Jan 2014 02:21:45 +0100 (CET)
Received: from ([]) by ([]) with mapi id 14.02.0387.000; Tue, 21 Jan 2014 02:21:44 +0100
From: Christer Holmberg <>
To: Tom Kristensen <>
Thread-Topic: [bfcpbis] TCP/TLS: Who is TLS server when the connection goes down and is re-established?
Thread-Index: Ac8R+ZA84xutttU1TFChlBiOsCWPngAy768AAAq9+j4A1NzWIA==
Date: Tue, 21 Jan 2014 01:21:44 +0000
Message-ID: <>
References: <>, <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: fi-FI
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrDLMWRmVeSWpSXmKPExsUyM+Jvje7K03eDDLqm8ln8W3eUyeLKkV9s DkweU35vZPVYsuQnUwBTFJdNSmpOZllqkb5dAlfGpNs32AvOq1RMmvKevYFxv2wXIyeHhICJ xP+pe9khbDGJC/fWs3UxcnEICRxilFjV9JwRwlnCKPHk6iSgKg4ONgELie5/2iANIgLqEn17 v4M1MwtoSlw9vIsRxBYWyJBY8u8EG0i5iECmRMNkBYhyJ4n5r66ygNgsAqoSvT92grXyCvhK /O55wA6xaiOjxJE3rUwgCU4BP4mj1z+ygdiMQMd9P7WGCWKXuMSHg9eZIY4WkFiy5zyULSrx 8vE/VghbSWLF9kuMEPV6EjemTmGDsLUlli18zQyxWFDi5MwnLBMYxWYhGTsLScssJC2zkLQs YGRZxciem5iZk15uuIkRGCMHt/zW3cF46pzIIUZpDhYlcd4Pb52DhATSE0tSs1NTC1KL4otK c1KLDzEycXBKNTAGxC2YnHHjSpO4nggr29JKJy6/2UvXXuUKssuNt+p1s3010SVpzX7ViYXS u1fJ7+Z/ckq2Zlapstzt0GXhy9wD1gg4KhnVX0rfZnP6g1dgWiejzXL2ufy2E11bFDasMbwp Pjs3fQ7PtLff3QO+OdeqHr/S7CTL6beB879c/BS3I5KHpr4N2aXEUpyRaKjFXFScCAAjSiBu XwIAAA==
Cc: "" <>
Subject: Re: [bfcpbis] TCP/TLS: Who is TLS server when the connection goes down and is re-established?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jan 2014 01:21:49 -0000


Some initial text proposal:

"If the TCP connection is lost, the "active" endpoint is responsible for re-establishing the TCP connection.

Unless a new TLS session is negotiated, subsequent SDP Offers and Answers will not impact the previously negotiated TLS roles."



-----Alkuperäinen viesti-----
Lähettäjä: bfcpbis [] Puolesta Christer Holmberg
Lähetetty: 16. tammikuuta 2014 21:36
Vastaanottaja: Tom Kristensen
Aihe: Re: [bfcpbis] TCP/TLS: Who is TLS server when the connection goes down and is re-established?

Hi Tom,

>> I realize the following comes late in the process, and I apologize if 
>> it has been discussed, but it is related to something which just has 
>> recently popped up in 3GPP, and it's not addressed in the draft.
> Not too late, since we are still not finished! Anyway, the TCP/TLS 
> connection reuse is not altered while extending BFCP to support 
> unreliable transport. Any fixes now must be backwards compatible in 
> some way.
> That said and based on what I have seen from different vendors, most 
> of them still use TCP (without TLS) :)
> So, at least if we are changing anything to solve these issues, we 
> should add an informational note indicating this is a change where 
> legacy, pure RFC 4582 implementations might differ in behaviour...

I am not suggesting to change anything - I am suggesting to specify something which is currently unspecified :)

> By the way: How these issues was solved in 3GPP are along the lines of what you propose below?

We have had some discussions in 3GPP, and there are some text suggestions for the upcoming meeting next week.

However, the discussions so far have been mostly about Q2. Q1 came up on a mailing list just this week, and whill be discussed at the 3GPP meeting next week.

>> Section 7 says the following:
>> "For a TCP/TLS connection established using an SDP
>> offer/answer exchange [7], the answerer (which may be the client or
>> the floor control server) always acts as the TLS server."
>> Q1:
>> Assume the TCP/TLS connection, for whatever reason, goes down.
>> Now, I assume that whoever endpoint is "active" will most likely try 
>> to re-establish the TCP connection.
>> But, if the "active" endpoint doesn't send an Offer (i.e. it simply 
>> tries to re-establish the TCP connection based on the previously 
>> negotiated SDP information), who will act as TLS server? There is no 
>> Answerer.
>> One alternative would be to mandate the sending of an Offer when the 
>> TCP/TLS connection is re-established. Then it would be clear who is 
>> Offerer, and who is Answerer.
>> Another alternative would be to say that whoever was previously 
>> Answerer will act as TLS server.
> I'm not too fond of yet another re-INVITE being mandated, so if we 
> will fix this issue mandating the previous answerer to be the TLS 
> server would be my preference.

Assuming that, then my follow-up question is:

When you say "previous answerer", do you refer to the answerer in the latest Offer/Answer transaction, OR the answerer in the last Offer/Answer transaction that established/re-established the TCP/TLS connection (those Offer/Answer transactions may, or may not, be the same).

>> Q2:
>> Assume there is an Offer/Answer transaction during the session. Now, 
>> the TCP/TLS connection is not affected by that, but the TLS roles may 
>> change (if whoever was Offerer in the previous O/A transaction is now Answerer).
>> I think some wording would be needed about that also.
>> One alternative is to say that the TLS roles may change, but that 
>> doesn't affect the TCP/TLS connection.
> A healthy TCP/TLS connection shouldn't be affected at all, should it?

Correct. The question is whether such Offer/Answer can affect the TCP/TLS roles - even if the TCP/TLS connection itself if not affected. That could have impact on the case in Q1, where the TCP/TLC connection goes down, and it needs to be determined who is TLS server.

>However, any potential connection re-establishment will need to monitor 
>who was the last answerer to do the TLS initiation correctly.
>Hopefully I did understand the issue here, and added my 2 zlotys or 
>pence or whatever,

I think you did understand the issue :)



bfcpbis mailing list