IETF Logo Mail Archive

Re: [Gen-art] [TLS] Genart last call review of draft-ietf-tls-tls13-24

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 30 March 2018 02:35 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB3E12E052; Thu, 29 Mar 2018 19:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGNnRLs2qvOi; Thu, 29 Mar 2018 19:35:44 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F1FA1241F5; Thu, 29 Mar 2018 19:35:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1522377343; x=1553913343; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=58etSYlALihGLgCzl9WMRz75qsTcUZtyTZ3hYOFu51g=; b=nQDC0P/oo8hAwzk8S37oePMkaGdZlYxH7sLR2+G0/rqmXyn7x2Lm6kXx psYyslGNu5H6qiVrxW4MGrrLNKefEgRW3V1OnWdCwYri6pMQgXPk0fPHP DCVSfkmq5Y5pipBFJzX425WYtB4RNrIbJ/elOQfdiK2DQN3bLyF7g+9/9 GGyolaLCVuDDy6Ei0MpjgbYF9EIMDv3bDgQr6vEu4wycfkbcXFSHUMoxU 3CC7lYS06OdDsLcNR2DGp/M39f0qF3ROZgKHx7IoyafPZpZPtBlQBmmHi xT3vA8zylVMu/Jln94c1lAXbstOxn/EyBU8nj+QYe4ypPLLsfT6ycFdtR w==;
X-IronPort-AV: E=Sophos;i="5.48,378,1517828400"; d="scan'208";a="5969199"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-e.UoA.auckland.ac.nz) ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Mar 2018 15:35:40 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.29) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 30 Mar 2018 15:35:40 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 30 Mar 2018 15:35:40 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Steve Fenter <steven.fenter58@gmail.com>, "Dale R. Worley" <worley@ariadne.com>
CC: "draft-ietf-tls-tls13.all@ietf.org" <draft-ietf-tls-tls13.all@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Genart last call review of draft-ietf-tls-tls13-24
Thread-Index: AQHTx7wzWLe9N5LKX0OEOqF/VURukKPoD3Fo
Date: Fri, 30 Mar 2018 02:35:39 +0000
Message-ID: <1522377304060.20682@cs.auckland.ac.nz>
References: <871sgw4ky9.fsf@hobgoblin.ariadne.com>, <27EB41EC-2C80-4C5A-BD6C-9063B520F0C8@gmail.com>
In-Reply-To: <27EB41EC-2C80-4C5A-BD6C-9063B520F0C8@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/dk7m05KML8XH8vF3R8j_v5ZPa2I>
Subject: Re: [Gen-art] [TLS] Genart last call review of draft-ietf-tls-tls13-24
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 02:35:46 -0000

Steve Fenter <steven.fenter58@gmail.com> writes:

>I've done a fair amount of TLS handshake troubleshooting, and it's usually
>long and painful because the error codes are so vague. 
>[...]
>The vague error messages are leading directly to more downtime, and this
>should be balanced with the other security needs. 

This was the reason for the sole new feature that was added to SCEP, an
optional text-form error message to explain why you didn't get a certificate.
Prior to that it was pure guesswork, there was just a generic error code
saying "you didn't get your cert", which made things almost impossible to
debug if you didn't have someone you could phone at the CA who could tell you
why you didn't get your cert.

As you mention, debugging TLS is unnecessarily painful if there's a problem,
you typically just get a handshake-failed alert which is essentially no
information at all.  Having a debug-mode capability to send back a long-form
error message would be extremely useful, maybe an extension to say "send back
a long-form alert with more than just 'BOOLEAN succeeded = FALSE' in it".

Peter.

v2.23.0 | Report a Bug | By Email