Re: [TLS] Tr: Behaviour when TLS fails

At Thu, 25 Sep 2008 08:26:02 +0200,
Julien ÉLIE wrote:
> 
> Hi,
> 
> Would it be possible to have some more information about how to behave when
> a TLS negotiation fails?
> 
> In RFC 4642 on TLS with NNTP, it is written:
> 
>     Upon receiving a 382 response to a STARTTLS command, the client MUST
>     start the TLS negotiation before giving any other NNTP commands.  The
>     TLS negotiation begins for both the client and server with the first
>     octet following the CRLF of the 382 response.  If, after having
>     issued the STARTTLS command, the client finds out that some failure
>     prevents it from actually starting a TLS handshake, then it SHOULD
>     immediately close the connection.
> 
>     [...]
> 
>     If the TLS negotiation fails, both client and server SHOULD
>     immediately close the connection.  Note that while continuing the
>     NNTP session is theoretically possible, in practice a TLS negotiation
>     failure often leaves the session in an indeterminate state;
>     therefore, interoperability can not be guaranteed.
> 
> But we do not know whether the "SHOULD immediately close the connection"
> is in fact a MUST.
> 
> You can see a current discussion about that here:
>     http://groups.google.fr/group/news.software.nntp/browse_frm/thread/aa305c96999afbcf
> 
> 
> Some excerpts below.
> 
> Thanks beforehand for your answer (please CC: me as I am not subscribed
> to the list).

TLS doesn't have any opinion about what you do with the underlying 
transport. So, as far as TLS is concerned, the underlying transport
(TCP) could stay open and you could try to negotiate NNTP on it.
It might even work. It's recommended not for the reasons noted
above. I wouldn't have a problem with 4462 saying MUST, but
I don't think it's required by the logic of TLS.

-Ekr
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls