IETF Logo Mail Archive

[hybi] failed TLS handshake: which close code?

Tobias Oberstein <tobias.oberstein@tavendo.de> Mon, 24 October 2011 07:58 UTC

Return-Path: <tobias.oberstein@tavendo.de>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFC9E21F8C6A for <hybi@ietfa.amsl.com>; Mon, 24 Oct 2011 00:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBt8pOZ7IOOJ for <hybi@ietfa.amsl.com>; Mon, 24 Oct 2011 00:58:16 -0700 (PDT)
Received: from EXHUB020-4.exch020.serverdata.net (exhub020-4.exch020.serverdata.net [206.225.164.31]) by ietfa.amsl.com (Postfix) with ESMTP id EEAC821F8C69 for <hybi@ietf.org>; Mon, 24 Oct 2011 00:58:15 -0700 (PDT)
Received: from EXVMBX020-12.exch020.serverdata.net ([169.254.3.230]) by EXHUB020-4.exch020.serverdata.net ([206.225.164.31]) with mapi; Mon, 24 Oct 2011 00:58:15 -0700
From: Tobias Oberstein <tobias.oberstein@tavendo.de>
To: "hybi@ietf.org" <hybi@ietf.org>
Date: Mon, 24 Oct 2011 00:58:13 -0700
Thread-Topic: failed TLS handshake: which close code?
Thread-Index: AcySIbAvR1mTC2mWQr2hZwnuI/+Ivg==
Message-ID: <634914A010D0B943A035D226786325D42D0B036D6D@EXVMBX020-12.exch020.serverdata.net>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [hybi] failed TLS handshake: which close code?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 07:58:16 -0000

Hybi-17:

"""
4. Opening Handshake
...
4.1. Client Requirements
...
   5.  If /secure/ is true, the client MUST perform a TLS handshake over
       the connection after opening the connection and before sending
       the handshake data [RFC2818].  If this fails (e.g. the server's
       certificate could not be verified), then the client MUST _Fail
       the WebSocket Connection_ and abort the connection.  Otherwise,
       all further communication on this channel MUST run through the
       encrypted tunnel.  [RFC5246]
"""

When the client fails the TLS handshake (i.e. because of invalid server certificate),
which close status code would be appropriate to use for signaling that specific
reason to the caller?

Is it supposed to use a close status code from the following range?

"""
   3000-3999

      Status codes in the range 3000-3999 are reserved for use by
      libraries, frameworks and application.  These status codes are
      registered directly with IANA.  The interpretation of these codes
      is undefined by this protocol.
"""

Or are those only for "use on wire" not for signaling the caller?

For example, Firefox currently provides the calling JavaScript with a "1006 Abnormal Connection Close":

"""
  1006

      1006 is a reserved value and MUST NOT be set as a status code in a
      Close control frame by an endpoint.  It is designated for use in
      applications expecting a status code to indicate that the
      connection was closed abnormally, e.g. without sending or
      receiving a Close control frame.
"""

However, this could be multiple things and is not giving the real reason to the JS.
The JS thus can't react specifically ..

v2.23.0 | Report a Bug | By Email