IETF Logo Mail Archive

Re: [TLS] Deprecating alert levels

Olivier Levillain <olivier.levillain@ssi.gouv.fr> Wed, 26 October 2016 11:36 UTC

Return-Path: <olivier.levillain@ssi.gouv.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92544129406 for <tls@ietfa.amsl.com>; Wed, 26 Oct 2016 04:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ci_1OtlcNSjP for <tls@ietfa.amsl.com>; Wed, 26 Oct 2016 04:36:11 -0700 (PDT)
Received: from garfield.picty.org (garfield.picty.org [82.231.235.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D626C12950C for <tls@ietf.org>; Wed, 26 Oct 2016 04:36:10 -0700 (PDT)
Received: from [127.0.0.1] (unknown [90.63.246.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by garfield.picty.org (Postfix) with ESMTPSA id B7168541DF for <tls@ietf.org>; Wed, 26 Oct 2016 11:36:07 +0000 (UTC)
To: tls@ietf.org
References: <MWHPR15MB11829BF852A21F2E9C2B99B6AFD00@MWHPR15MB1182.namprd15.prod.outlook.com> <20161019155845.D13E21A564@ld9781.wdf.sap.corp> <CAOgPGoAu0AKzf46UpWUSxd3hfFc977Ea9HK0OP77Qwu3aCi69w@mail.gmail.com> <CABcZeBPqaSUYKQFzrQ8u0JVTjmdPbTbfWNSOhMu2pQZ2OayG5Q@mail.gmail.com> <CABkgnnWY+miny3iAvYFDk3JahR=eXMZx4Osfc+YGrtQXZH9+_g@mail.gmail.com> <MWHPR15MB11822291FFF82449A328A4E0AFA80@MWHPR15MB1182.namprd15.prod.outlook.com>
From: Olivier Levillain <olivier.levillain@ssi.gouv.fr>
Message-ID: <58109527.3000903@ssi.gouv.fr>
Date: Wed, 26 Oct 2016 13:36:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <MWHPR15MB11822291FFF82449A328A4E0AFA80@MWHPR15MB1182.namprd15.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1A3JadyJMysnILg7yAjGUIVvP_Q>
X-Mailman-Approved-At: Wed, 26 Oct 2016 05:15:28 -0700
Subject: Re: [TLS] Deprecating alert levels
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 11:36:13 -0000

Hi list,

I recently saw a related CVE regarding OpenSSL on oss-security mailing
list: CVE-2016-8610. The original mail is
http://seclists.org/oss-sec/2016/q4/224. As I understand it, the idea is
to send a continuous flow of unauthenticated, warning-level alerts in
the middle of the initial handshake. This leads OpenSSL to keep the
connection open (and apparently to consume some CPU).

Even if this might not be the attack of the century, it may also be
another reason to reconsider how a TLS stack should handle
[multiple|warning|unauthenticated] alerts.

olivier


Le 25/10/2016 03:14, Kyle Nekritz a écrit :
> +1 to both Martin and ekr, I think simplifying these alerts with clearly defined behavior for each alert description is the best way forward.
>
> Kyle 
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
> Sent: Wednesday, October 19, 2016 10:18 PM
> To: Eric Rescorla <ekr@rtfm.com>
> Cc: tls@ietf.org
> Subject: Re: [TLS] Deprecating alert levels
>
> On 20 October 2016 at 05:28, Eric Rescorla <ekr@rtfm.com> wrote:
>>> 2.  Are there cases, such as unrecognized name. where it is useful to 
>>> indicate that an alert is not fatal?  If so how should this case be handled?
>>
>> I think this alert was a mistake :)
> In NSS is to tolerate it, but it's an exception.  I'm happier with a lone exception than with atrophied and redundant alert levels continuing as they are.  I'd prefer to take the PR, with a minor amendment noting the hazard caused by unrecognized_name(112).  Clients that intend to accept TLS 1.2 and lower probably have to ignore warning alerts until they see that the server is doing TLS 1.3 or higher.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DQICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=1svSdxAuionbHyrUN4ThSCRLZ1pCQuLaO0qtgQ8Dk7A&s=jWxxDB9uWwT6kP_7TcZ4isUa_Z5LNWOhgMX_O1s3oaw&e= 
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email