Re: [quicwg/base-drafts] TLS application data isn't possible (#3043)
Martin Thomson <notifications@github.com> Wed, 18 September 2019 01:48 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D79FF120131 for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.898
X-Spam-Level:
X-Spam-Status: No, score=-7.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Stqey_5LsxhU for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:48:08 -0700 (PDT)
Received: from out-19.smtp.github.com (out-19.smtp.github.com [192.30.252.202]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945FA12094F for <quic-issues@ietf.org>; Tue, 17 Sep 2019 18:48:08 -0700 (PDT)
Received: from github-lowworker-292e294.va3-iad.github.net (github-lowworker-292e294.va3-iad.github.net [10.48.102.70]) by smtp.github.com (Postfix) with ESMTP id BC12A521222 for <quic-issues@ietf.org>; Tue, 17 Sep 2019 18:48:07 -0700 (PDT)
Date: Tue, 17 Sep 2019 18:48:07 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6ODN3LVZXCSQCJBH53R27VPEVBNHHB257M5U@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3043/review/289631635@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3043@github.com>
References: <quicwg/base-drafts/pull/3043@github.com>
Subject: Re: [quicwg/base-drafts] TLS application data isn't possible (#3043)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d818cd7ad4fa_7473f81c92cd96013928d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/9l4rT1TkiRwJEnNXhvre5Id06aM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 01:48:14 -0000
martinthomson commented on this pull request.
>
QUIC takes the unprotected content of TLS handshake records as the content of
CRYPTO frames. TLS record protection is not used by QUIC. QUIC assembles
CRYPTO frames into QUIC packets, which are protected using QUIC packet
protection.
+QUIC is only capable of conveying TLS handshake records in CRYPTO frames. TLS
+alerts are turned into QUIC CONNECTION_CLOSE error codes; see {{tls-errors}}.
+TLS application data and other message types cannot be carried by QUIC at any
+encryption level and can be treated as an error if they are received from the
I'll take Kazuho's "is an error" to avoid triggering the usual "treat X as an error of type" thinking that goes along with generating CONNECTION_CLOSE. This is just wrong.
To Marten's point about how stacks can do this - I don't think that we generate any application_data records in our stack, but we certainly have assertions in place in case we get some. If someone accidentally writes to the TLS socket, then we'll at catch that at the earliest possible moment.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3043#discussion_r325451959
- [quicwg/base-drafts] TLS application data isn't p… Martin Thomson
- Re: [quicwg/base-drafts] TLS application data isn… Marten Seemann
- Re: [quicwg/base-drafts] TLS application data isn… Martin Thomson
- Re: [quicwg/base-drafts] TLS application data isn… Martin Thomson
- Re: [quicwg/base-drafts] TLS application data isn… Marten Seemann
- Re: [quicwg/base-drafts] TLS application data isn… Kazuho Oku
- Re: [quicwg/base-drafts] TLS application data isn… martinduke
- Re: [quicwg/base-drafts] TLS application data isn… Jana Iyengar
- Re: [quicwg/base-drafts] TLS application data isn… Kazuho Oku
- Re: [quicwg/base-drafts] TLS application data isn… Jana Iyengar
- Re: [quicwg/base-drafts] TLS application data isn… Martin Thomson
- Re: [quicwg/base-drafts] TLS application data isn… Martin Thomson
- Re: [quicwg/base-drafts] TLS application data isn… Martin Thomson