[TLS] Short notes on TLS RFCs ...
Colm MacCárthaigh <colm@apache.org> Fri, 20 June 2014 03:24 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178B11A01A5 for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 20:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.078
X-Spam-Level:
X-Spam-Status: No, score=-1.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_56=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fzu9FYHQAtmu for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 20:24:54 -0700 (PDT)
Received: from mail-oa0-f52.google.com (mail-oa0-f52.google.com [209.85.219.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E628D1A017F for <tls@ietf.org>; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id j17so6616392oag.39 for <tls@ietf.org>; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=2xJcjBgUtBVB4jkE94djYqRWN5kwpLVyTatVppmJ5zw=; b=X2LDgrRyVJ08zb5Ht1PYj1W2kYxRxXnx+xW6JFAuhovJmb3Z3vPlcGMJEu7qbBfSz9 c+WCxO2szxiW+dimVak+ifaRt646x09tlXPI8xbmN+BXabv4o6n/F7kEJYXDUOd95+Nm UXU0iHlD9ugPTlDl0SzuYa7qizgl/v96FxqtxfRqfcrToXHcvX99u/LhJCHcTc+FfFfg BiFhUA5UH+1gFaF3B0aHyrBnlh9jltwmXDrhdH+dTZZAJ2JSR5w8pHn+rcijAyuPsVZk Gg25Bv75weL+FQDg38uG11dUeNZjVCtvyz+kx2E7fCjCbnaVpRSv+p7lVInrle81LcBI kM0g==
X-Gm-Message-State: ALoCoQnzvbRlEccjvFuOQPnrnE28pD7WHTwDaCe4JuimS6egugLSwXbxV3J1qaytPXNHn7tAsDb3
MIME-Version: 1.0
X-Received: by 10.60.70.200 with SMTP id o8mr567371oeu.55.1403234693241; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Sender: colm@allcosts.net
Received: by 10.76.20.164 with HTTP; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Date: Thu, 19 Jun 2014 20:24:53 -0700
X-Google-Sender-Auth: 897zbTZNWgNKAhx2CSkCg0EeFTI
Message-ID: <CAAF6GDfF0uFZc=csO7OYPvtVZ2rg=NzykUpkkjT4XaZPos2=sA@mail.gmail.com>
From: Colm MacCárthaigh <colm@apache.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/A4iVm_yyzrIxcM84YEi3gCV0XSY
Subject: [TLS] Short notes on TLS RFCs ...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2014 03:24:55 -0000
I've recently spent some time reading various TLS RFCs in detail. During the process I found a few points of confusion, or inconsistency with what I could find in general implementations. As I'm new to this, I may be duplicating reports, and I may also be in error. Apologies if so, but it seemed worth sending a note all the same. 1. I don't think RFC5246 actually specifies how DH parameters should be signed. In section 7.4.3 signed_params is defined as "a signature over the server's key exchange parameters" and appendix F (which is non-normative?) described that the parameters are hashed with the hello.random values, but does not say how. RFC4346 does contain a description; but it was not clear to me what should be done in TLS1.2 without reverse engineering it from existing implementations. Again, my apologies if I've missed it - but I can't find a clear instruction on how to sign the parameters in the RFC. I think a future RFC could benefit from a small repair work here and I'd be happy to contribute if that's appropriate. 2. The handling of alert messages is somewhat ambiguous. I think a strict reading of the sections on the record layer imply that alert messages may be fragmented across more than one record, and also that several alerts (and also maybe a partial alert) may be coelesced into a single record. Some experiments with implementations show me that this is inconsistently handled. Because alert messages specify the AlertLevel before the alert code, there is a possibility for ambiguity with the intent of section 7.2. Suppose that a peer send the first byte of an alert message, and that that byte is "2". As the recipient, I know that I have a fatal alert. Should I shut the connection down immediately? Or is the alert message considered incomplete until the entire message is received? If the subsequent record, with the second byte of the alert message also contains other alert messages - what status should I give those? where a peer chooses to indicate several alerts in one record, should it be clear that a fatal alert truncates the alert stream? Is there a reason to support fragmentation/coalescing for alerts at all? 3. The purpose of heartbeat message seems to be a form of path MTU discovery, but they also seem ill-suited to MTU discovery. In particular, Heartbeat messages seem to me capable of only discovering the lowest-MTU supported in both directions of transmission; rather than the actual MTU of the network paths; which can be (and sometimes are) asymmetrical. This may seem very esoteric, but as WANs and transit providers deploy jumbo-frames inconsistently, asymmetrical MTUs are becoming more common. Though hopefully that day will pass. Again, apologies if my notes are duplicative, but figured it was better to report a dupe than to miss something. -- Colm
- [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Salz, Rich
- Re: [TLS] Short notes on TLS RFCs ... Michael Tuexen
- Re: [TLS] Short notes on TLS RFCs ... Watson Ladd
- Re: [TLS] Short notes on TLS RFCs ... Michael Tuexen
- Re: [TLS] Short notes on TLS RFCs ... Robert Ransom
- Re: [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Eric Rescorla
- Re: [TLS] Short notes on TLS RFCs ... Christian Huitema