IETF Logo Mail Archive

Re: [radext] ALPN alert use with RADIUS Version 1.1

Alan DeKok <aland@deployingradius.com> Thu, 20 July 2023 15:16 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BA1AC15108B for <radext@ietfa.amsl.com>; Thu, 20 Jul 2023 08:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EP51DyYpLdeF for <radext@ietfa.amsl.com>; Thu, 20 Jul 2023 08:16:09 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04581C151090 for <radext@ietf.org>; Thu, 20 Jul 2023 08:16:08 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 0C4733C6; Thu, 20 Jul 2023 15:16:02 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAA7Lko9_if7_1OBMYKyY40ZN8q5O112R8B3dHcYZVmq6Z3u73Q@mail.gmail.com>
Date: Thu, 20 Jul 2023 11:16:00 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A7503EEB-2142-4004-8E60-9E4BDF54D8FD@deployingradius.com>
References: <CAA7Lko9kxYNOZDuZHfBZQ-01fPf25EYSLuNR=2aUL1Z19ehuRw@mail.gmail.com> <763A610D-7BC3-4913-AB11-658034C78D48@deployingradius.com> <CAA7Lko9_if7_1OBMYKyY40ZN8q5O112R8B3dHcYZVmq6Z3u73Q@mail.gmail.com>
To: Heikki Vatiainen <hvn@radiatorsoftware.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/5isae399E9bI0mapm_DDeA_4_ko>
Subject: Re: [radext] ALPN alert use with RADIUS Version 1.1
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2023 15:16:13 -0000

On Jul 20, 2023, at 10:16 AM, Heikki Vatiainen <hvn@radiatorsoftware.com> wrote:
> 
> >  I think Alex has a good point here, too.  The client has sent all of the ALPN protocols it supports.  The only possible answers from the server are (a) TLS alert 120, or (b) an all of an ALPN protocol which the client had already sent.
> 
> One option is that the server completes the handshake and returns no ALPN extension in its ServerHello. OpenSSL server appears to ignore client's ALPN extension by default and returns no ALPN extension in ServerHello. In other words, the TLS connection is opened but no ALPN was negotiated.

  Yes, that's true.

> Testing with OpenSSL's 'openssl s_client ...' works well. The client program shows that alert 120 was received. In other words, the alert returned from TLS server ClientHello callback is visible to the TLS client.

  That's good.  Taking a quick (!) look at the OpenSSL source, the client hello callback happens after the ALPN callback.  So it should be possible to set the client hello callback, and check the ALPN status, and then do... something.

  However, the OpenSSL documentation says that the client hello callback can only return success / error / retry.  So it's not possible to send a TLS alert even then.  :(

> One option could be to add some text why it's important to use 'allow' as the default policy.
> https://www.ietf.org/archive/id/draft-ietf-radext-radiusv11-01.html#section-3.3-6.1.1
> 
> As the table in section 3.3.1 shows, it's the only value that never triggers a failure. Once the person maintaining the configuration has some experience with the new behaviour, they can go and update it to a different value

  I agree.  I'll add some text.

> >   The reason for doing that is to make it easy for administrators to tell exactly what's going on.  It's a serious problem when the administrator sets up complex applications with all kinds of crypto magic, and then things don't work, with an error message of "Failed".  > It is much politer to give people a real, descriptive error message, so that they know exactly what went wrong, and how to fix it.
>  
> And if possible, make it visible on both sides of the connection too.

   So if no one else objects to the idea, I'll add some text.  Perhaps something like:

---
When ALPN negotiation fails, it is not always possible to send TLS alert of "no_application_protocol" (120).  [RFC7301] suggests that this alert can only be sent by the server which supports ALPN, in response to a client which requests ALPN.  However, if either party does not support ALPN, then there are no provisions for sending this alert.  In addition, the TLS implementations may not permit an application to send a TLS alert of its choice, at a time of its choice.  So if one party supports ALPN while the other does not, it is not possible for the system supporting ALPN to send any kind of TLS alert which informs the other party that ALPN is required.

The only possible method for one party to signal the other then, is application data inside of the TLS tunnel.  Therefore, for the situation when a one end of a connection determines that it requires ALPN while the other end does not support ALPN, the end supporting ALPN MAY send a Protocol-Error packet inside of the tunnel, and then close the connection.  If this is done, the Response Authenticator field of the Protocol-Error packet MUST be all zeros, as this packet is not in response to any request.  The Protocol-Error packet SHOULD contain a Reply-Message attribute with a textual string describing the cause of the error.  The packet SHOULD also contain an Error-Cause attribute, with value Unsupported Extension (406).

As this packet is an unexpected response packet, existing implementations will ignore it.  They may either log an error and may close the connection, or they may discard the packet and leave the connection open.  In which case the end support ALPN will close the connection.  While using a Protocol-Error packet in this way is unusual, it is both informative and safe.

The purpose of this packet is not to have the other end of the connection automatically determine what went wrong, and fix it.  Instead, the packet is intended to be (eventually) seen by an administrator, who can then take remedial action.
----

  That seems ugly as heck, but informative.  If this suggestion isn't too terrible, we may also want to allocate a new value for Error-Cause: ALPN Unsupported.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email