IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC8446 (7620)

Eric Rescorla <ekr@rtfm.com> Mon, 28 August 2023 14:05 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A8DC14CF1C for <tls@ietfa.amsl.com>; Mon, 28 Aug 2023 07:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zyCPLZOD3WTx for <tls@ietfa.amsl.com>; Mon, 28 Aug 2023 07:05:07 -0700 (PDT)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC377C151553 for <tls@ietf.org>; Mon, 28 Aug 2023 07:05:06 -0700 (PDT)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-59254e181a2so37248587b3.1 for <tls@ietf.org>; Mon, 28 Aug 2023 07:05:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20221208.gappssmtp.com; s=20221208; t=1693231506; x=1693836306; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=d9IKgXd+yv2ZoPCuZVzFoMhG608JzYqDSXA0thHSCSo=; b=1E6T9pMV7LkfIG2yazmUjham+BjCiE81cUH0ZVnbiOob9Vx0lYIPNa5kUFcJTf3UE3 BvhRnHpQR4+HSyGZg/eAyC+yKfDQADtbU6H41jQB1fojxS+OknrJ+q7zZtDwZbk9EFRW FZ9/by+8/AeXn5sSnJxEJUX8VkRq7uIlRyseGaZ32UZPBVvPkySLekDNjUNeKW/2D8jE wmCIKPubHbcHJH0TanXBTB0rngfu7p/7vV8VNB1PkWWgArlWWfX6Dmc5AFEqIWcUQhWi fB72/NuW/zSgVHhtAh99EIeACf9l1so7Rt0fLNSy5yatr91s0KSKuveP7X3q/gxZXoXY N7zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693231506; x=1693836306; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=d9IKgXd+yv2ZoPCuZVzFoMhG608JzYqDSXA0thHSCSo=; b=IWROVPX+ZgdoiICYMDPduY0ESXlSdzQj7KtTdiv8k5Xc7Ighrjog17ivH4fHMlju1v uLTKI0lU7eVinURI9CCeC8jGD2q87lAfQYLbhyf9ZCECD7u2ruh/c+OE3LRgdHxAan6J Bkcq0bL5yElyKtoeoUQPsTlF/1q/i1ulG7Tw2rQDeKM3y5hBJnWGwFJVL+VbA9aefsEd FL+lgJOHxYDwh1hGa3mkzsHglPRMGxgzc7UcwTw6097DiwLg7ZmuynekEboTxEopGipX GlHv44paAXfVKJVjIwAf2SLD1+TwrIOyJKdhyqyws6LpPQVygGnpZRdpBD+Iq0Y2p3JM 8izA==
X-Gm-Message-State: AOJu0Yxgu5ICkWTx5JGF4AddotsUIrPrP5XdPn2dh6Pkz83AoZJGRIPp v7jeQoadThuTcRo54W7lmzcVcMEMAyQjAdDfvydaKEW8/UC4+wmC
X-Google-Smtp-Source: AGHT+IFntrnxPvkiTzsvyWsM96jkXJ7g4J5XkmD6m1oTjjbT2H40k+IC+ywWKdS1DPnvKaavl7Y1aUD2NaTCKge/eOQ=
X-Received: by 2002:a0d:d7c5:0:b0:592:264c:a88c with SMTP id z188-20020a0dd7c5000000b00592264ca88cmr21787599ywd.18.1693231506082; Mon, 28 Aug 2023 07:05:06 -0700 (PDT)
MIME-Version: 1.0
References: <20230828110218.37E627FDEA@rfcpa.amsl.com> <CABcZeBPHevj+4oYOyrbZC1FPmEtq961h8zThgAR07Bw8GRyC0g@mail.gmail.com> <CA+_8xu0skGn-0BkK_oA+2=NSrBEp_dLFV3DJn8Nsv8WeRoXdZg@mail.gmail.com>
In-Reply-To: <CA+_8xu0skGn-0BkK_oA+2=NSrBEp_dLFV3DJn8Nsv8WeRoXdZg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 28 Aug 2023 07:04:29 -0700
Message-ID: <CABcZeBMR6-3eR12zjhNd-njN4auTq4hcxNL2U_d++1aD-ZGs3g@mail.gmail.com>
To: research@bensmyth.com
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, rdd@cert.org, paul.wouters@aiven.io, caw@heapingbits.net, Joseph Salowey <joe@salowey.net>, sean+ietf@sn3rd.com, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007170540603fc2ea7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9Wv08oKlcwDi9DuUCyDmqSNDPls>
Subject: Re: [TLS] [Technical Errata Reported] RFC8446 (7620)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 14:05:10 -0000

So I'm not sure this is an erratum as I think it correctly describes the
situation and it's a judgement call whether we ought to have a requirement
here or whether it's a 6919 MUST (BUT WE KNOW YOU WON'T)

We are currently preparing the 8446-bis, so I think the right place to have
this discussion is in that context.

-Ekr


On Mon, Aug 28, 2023 at 6:38 AM Ben Smyth <research@bensmyth.com> wrote:

> Yes, we agree. I anticipate necessity to reduce the strength my wording
> (or to ignore). I raise this errata only to discuss specification-compliant
> implementations being vulnerable to truncation attack; it'd surely be
> better to have a SHOULD or SHOULD NOT.
>
> On Mon, 28 Aug 2023, 14:43 Eric Rescorla, <ekr@rtfm.com> wrote:
>
>> Hi Ben,
>>
>> Before addressing the text, let's make sure we are on the same page about
>> the situation.
>>
>> As you probably know, there are quite a few situations in which endpoints
>> close the connection before
>> receiving a close_notify, for instance, when they receive an end of data
>> message in the application
>> protocol or when they time out. The former case is generally safe, the
>> latter is not, but extremely
>> common, in fact perhaps the dominant case. Do we agree on that?
>>
>> -Ekr
>>
>>
>> On Mon, Aug 28, 2023 at 4:02 AM RFC Errata System <
>> rfc-editor@rfc-editor.org> wrote:
>>
>>> The following errata report has been submitted for RFC8446,
>>> "The Transport Layer Security (TLS) Protocol Version 1.3".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid7620
>>>
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Ben Smyth <research@bensmyth.com>
>>>
>>> Section: 6.1
>>>
>>> Original Text
>>> -------------
>>> Each party MUST send a "close_notify" alert before closing its write
>>> side of the connection, unless it has already sent some error alert.
>>> This does not have any effect on its read side of the connection.
>>> Note that this is a change from versions of TLS prior to TLS 1.3 in
>>> which implementations were required to react to a "close_notify" by
>>> discarding pending writes and sending an immediate "close_notify"
>>> alert of their own.  That previous requirement could cause truncation
>>> in the read side.  Both parties need not wait to receive a
>>> "close_notify" alert before closing their read side of the
>>> connection, though doing so would introduce the possibility of
>>> truncation.
>>>
>>> Corrected Text
>>> --------------
>>> Each party MUST send a "close_notify" alert before closing its write
>>> side of the connection, unless it has already sent some error alert.
>>> This SHOULD NOT have any effect on the read side of the sender's
>>> connection;
>>> parties SHOULD receive a "close_notify" alert before closing the read
>>> side of their connection.
>>> Note that this is a change from versions of TLS prior to TLS 1.3 in
>>> which receivers were required to react to a "close_notify" by
>>> discarding pending writes and sending an immediate "close_notify"
>>> alert of their own.  That previous requirement could cause truncation
>>> in the read side.  Both parties need not wait to receive a
>>> "close_notify" alert before closing their read side of the
>>> connection, though doing so would introduce the possibility of
>>> truncation.
>>>
>>> Notes
>>> -----
>>> As-is there's a specification-level vulnerability:
>>> Specification-compliant implementations may be vulnerable to truncation
>>> attacks.
>>>
>>> I suggest using SHOULD NOT & SHOULD for better signposting and to avoid
>>> specification-level vulnerability.
>>>
>>> I also suggest minor tweaks for readability.
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC8446 (draft-ietf-tls-tls13-28)
>>> --------------------------------------
>>> Title               : The Transport Layer Security (TLS) Protocol
>>> Version 1.3
>>> Publication Date    : August 2018
>>> Author(s)           : E. Rescorla
>>> Category            : PROPOSED STANDARD
>>> Source              : Transport Layer Security
>>> Area                : Security
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>>
>>

v2.23.0 | Report a Bug | By Email