Re: [Gen-art] Expanded alert codes. [Was Re: [TLS] Genart last call review of draft-ietf-tls-tls13-24]
Eric Rescorla <ekr@rtfm.com> Sun, 01 April 2018 13:53 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89842124207 for <gen-art@ietfa.amsl.com>; Sun, 1 Apr 2018 06:53:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ovwacl14uLBK for <gen-art@ietfa.amsl.com>; Sun, 1 Apr 2018 06:53:48 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FAFB120724 for <gen-art@ietf.org>; Sun, 1 Apr 2018 06:53:48 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id 71-v6so11034530oie.12 for <gen-art@ietf.org>; Sun, 01 Apr 2018 06:53:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SdRDHe6J3qwifUZVLUzDYJqgfTsjzW3vdpXHFHebr6w=; b=e1uiM3Y9XBGb7UID0NbZgN1iguuI3QRcC5+Ff2Y6mNrbSTSwpHEuInhuIiXvEEIwYD s1uQAv+kog5EOfZ/2/y1HEEv0cTP2GQSYrixqIYo591wB5o1Rx5zwaMnF5Kw7/3n2hR1 L8dQoV6U1aFzun7935MjEBBa7/f+W7EjGFt6cWA8CwxjOWRDA6n+q8K68oxlcOCg4zp5 +cMS+9jD6w+k2TlFZOwHzk9o7Oa8n0XbAD1FeDR7LDK9tOrH5rq/BEbUnROtpfTi59gG ChN7qgwo6H7OfXHmyDMP/X/I3GNKdDRM5g0+R9Mqnw3NSF5WHSIPeiYsO4ls2cQnT2jM LblQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SdRDHe6J3qwifUZVLUzDYJqgfTsjzW3vdpXHFHebr6w=; b=eoHxwbJfuC1DvXu3puo4urVMbX1X1q1S7YXXIbE6Sje1XcJvsXi0hdG9RIyRgGBXnQ TutPMXKVU0l13+iNdwT2GNeSprbW0UKVexWrLYDyVsE8TUTrRRGGL0ksBVQX5O6sdaLf 3uykQ9vhIgfZAm/icLTkM0M2To636jlPBoBc/Ec2gPLg6IgQqy66qSwfK2U8R1cQvkok i0uh3ZCXxq8tPpfZqW+UXsBxE5Cuex3PATEw1VCgsfLcrNi0C8HapcbyXSGUgirfYp7L tJyVXukN299trFd2mJpmVJIPpGKC0oh1X1jLkrY8bRLE6SDLW7qOzy9XT6j7ichbCBGF 7xZQ==
X-Gm-Message-State: ALQs6tAWfl2r5DeNjTkWO4rN5KKcvvq+CpAKyb9vtbTQtEwfipxrtlZL l2QJPJlkDLQQxUgxU9gWRmc2KniWX8uXAIQDPRcEtQ==
X-Google-Smtp-Source: AIpwx4+A+TzXM6IRd36PrVErKk/OGHFI4uyXUyHVtrlphAS7j9HHmd0Ty1fvYLsRi3NoYISD+iKeQfsrSvW4dHD6MAo=
X-Received: by 2002:aca:3114:: with SMTP id x20-v6mr3458693oix.108.1522590827839; Sun, 01 Apr 2018 06:53:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.130 with HTTP; Sun, 1 Apr 2018 06:53:07 -0700 (PDT)
In-Reply-To: <1522560535687.32559@cs.auckland.ac.nz>
References: <CABcZeBNB50jY1odzgVZVKqn8F7TCj1b+A_95yG6f=Nde0KVv+g@mail.gmail.com> <1522560535687.32559@cs.auckland.ac.nz>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 01 Apr 2018 06:53:07 -0700
Message-ID: <CABcZeBPH6zO1kQnduR2YLGPD1qOu6bAvGSqmwfNUJ-J4j5xh+g@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Bill Frantz <frantz@pwpconsult.com>, Steve Fenter <steven.fenter58@gmail.com>, "Dale R. Worley" <worley@ariadne.com>, General Area Review Team <gen-art@ietf.org>, IETF discussion list <ietf@ietf.org>, "draft-ietf-tls-tls13.all@ietf.org" <draft-ietf-tls-tls13.all@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e97b00568c9cd3a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/XGSeqRdU6sXzVrZPT5-3vY1SsPk>
Subject: Re: [Gen-art] Expanded alert codes. [Was Re: [TLS] Genart last call review of draft-ietf-tls-tls13-24]
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2018 13:53:51 -0000
On Sat, Mar 31, 2018 at 10:29 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Eric Rescorla <ekr@rtfm.com> writes: > > >In my experience, there are four major scenarios for diagnosing this kind > of > >failure. Under the assumption that you control one end, the other end can > be: > > > >1. A live endpoint. > >2. A testing endpoint someone has put up. > >3. An endpoint that someone is actively working on with you. > >4. An endpoint you control (e.g., you're running it on your own machine). > > > >If this is a debug-only feature, then it won't be available in case #1, > > I have the feeling the people who have commented on this were talking from > real-world experience, Sure. I am also talking from real world experience. > and in the example I gave it was exactly case #1. This > was a live, large-scale production environment by a major ecommerce > organisation (details fudged somewhat to avoid identifying anyone, but > everyone here would know the name), and the only way to get things working > was > to spend several weeks randomly tweaking every conceivable option on the > client until things started working, because the only thing the server > would > say was "Handshake failure". The client-side organisation still has no > idea > what made things work, they've narrowed it down by trial and error to about > half a dozen things they had to change, but that's it. > > If they'd been able to get the server operators to turn on extended-alert > for > even just a single handshake it would have avoided several weeks' effort > and a > fix that even now is pure guesswork. Maybe. I've spent a fair amount of time trying to diagnose failures where I know precisely the line of code that generated the failure, and it can still be quite difficult. > >For the same reason, it's not really that helpful in case #3, because you > can > >just ask the person you're working with to read the logs, > > Except that these people are EDI companies, not TLS experts. They have > neither the expertise nor the inclination to help debug TLS issues. What > they > will do is enable debug on the server so the client can sort things out, > but > they're not going to devote any effort to sorting out the problem at their > end. > I'm not suggesting that they ask the counterparty to diagnose the problem, just send the relevant logs. It seems like the ask of "turn on logging and give me the results" and "turn on extended debugging" are fairly similar. -Ekr
- [Gen-art] Expanded alert codes. [Was Re: [TLS] Ge… Eric Rescorla
- Re: [Gen-art] Expanded alert codes. [Was Re: [TLS… Peter Gutmann
- Re: [Gen-art] [TLS] Expanded alert codes. [Was Re… Ion Larranaga Azcue
- Re: [Gen-art] [TLS] Expanded alert codes. [Was Re… Peter Gutmann
- Re: [Gen-art] [TLS] Expanded alert codes. [Was Re… Ion Larranaga Azcue
- Re: [Gen-art] [TLS] Expanded alert codes. [Was Re… Ion Larranaga Azcue
- Re: [Gen-art] Expanded alert codes. [Was Re: [TLS… Eric Rescorla
- Re: [Gen-art] Expanded alert codes. [Was Re: [TLS… Dale R. Worley