IETF Logo Mail Archive

[TLS] Short notes on TLS RFCs ...

Colm MacCárthaigh <colm@apache.org> Fri, 20 June 2014 03:24 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178B11A01A5 for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 20:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.078
X-Spam-Level:
X-Spam-Status: No, score=-1.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_56=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fzu9FYHQAtmu for <tls@ietfa.amsl.com>; Thu, 19 Jun 2014 20:24:54 -0700 (PDT)
Received: from mail-oa0-f52.google.com (mail-oa0-f52.google.com [209.85.219.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E628D1A017F for <tls@ietf.org>; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id j17so6616392oag.39 for <tls@ietf.org>; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=2xJcjBgUtBVB4jkE94djYqRWN5kwpLVyTatVppmJ5zw=; b=X2LDgrRyVJ08zb5Ht1PYj1W2kYxRxXnx+xW6JFAuhovJmb3Z3vPlcGMJEu7qbBfSz9 c+WCxO2szxiW+dimVak+ifaRt646x09tlXPI8xbmN+BXabv4o6n/F7kEJYXDUOd95+Nm UXU0iHlD9ugPTlDl0SzuYa7qizgl/v96FxqtxfRqfcrToXHcvX99u/LhJCHcTc+FfFfg BiFhUA5UH+1gFaF3B0aHyrBnlh9jltwmXDrhdH+dTZZAJ2JSR5w8pHn+rcijAyuPsVZk Gg25Bv75weL+FQDg38uG11dUeNZjVCtvyz+kx2E7fCjCbnaVpRSv+p7lVInrle81LcBI kM0g==
X-Gm-Message-State: ALoCoQnzvbRlEccjvFuOQPnrnE28pD7WHTwDaCe4JuimS6egugLSwXbxV3J1qaytPXNHn7tAsDb3
MIME-Version: 1.0
X-Received: by 10.60.70.200 with SMTP id o8mr567371oeu.55.1403234693241; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Sender: colm@allcosts.net
Received: by 10.76.20.164 with HTTP; Thu, 19 Jun 2014 20:24:53 -0700 (PDT)
Date: Thu, 19 Jun 2014 20:24:53 -0700
X-Google-Sender-Auth: 897zbTZNWgNKAhx2CSkCg0EeFTI
Message-ID: <CAAF6GDfF0uFZc=csO7OYPvtVZ2rg=NzykUpkkjT4XaZPos2=sA@mail.gmail.com>
From: Colm MacCárthaigh <colm@apache.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/A4iVm_yyzrIxcM84YEi3gCV0XSY
Subject: [TLS] Short notes on TLS RFCs ...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2014 03:24:55 -0000

I've recently spent some time reading various TLS RFCs in detail.
During the process I found a few points of confusion, or inconsistency
with what I could find in general implementations. As I'm new to this,
I may be duplicating reports, and I may also be in error. Apologies if
so, but it seemed worth sending a note all the same.

1. I don't think RFC5246 actually specifies how DH parameters should
be signed. In section 7.4.3 signed_params is defined as "a signature
over the server's key exchange parameters" and appendix F (which is
non-normative?) described that the parameters are hashed with the
hello.random values, but does not say how.

RFC4346 does contain a description; but it was not clear to me what
should be done in TLS1.2 without reverse engineering it from existing
implementations.

Again, my apologies if I've missed it - but I can't find a clear
instruction on how to sign the parameters in the RFC.

I think a future RFC could benefit from a small repair work here and
I'd be happy to contribute if that's appropriate.

2. The handling of alert messages is somewhat ambiguous. I think a
strict reading of the sections on the record layer imply that alert
messages may be fragmented across more than one record, and also that
several alerts (and also maybe a partial alert) may be coelesced into
a single record. Some experiments with implementations show me that
this is inconsistently handled.

Because alert messages specify the AlertLevel before the alert code,
there is a possibility for ambiguity with the intent of section 7.2.
Suppose that a peer send the first byte of an alert message, and that
that byte is "2". As the recipient, I know that I have a fatal alert.
Should I shut the connection down immediately? Or is the alert message
considered incomplete until the entire message is received? If the
subsequent record, with the second byte of the alert message also
contains other alert messages - what status should I give those? where
a peer chooses to indicate several alerts in one record, should it be
clear that a fatal alert truncates the alert stream?

Is there a reason to support fragmentation/coalescing for alerts at all?

3. The purpose of heartbeat message seems to be a form of path MTU
discovery, but they also seem ill-suited to MTU discovery. In
particular, Heartbeat messages seem to me capable of only discovering
the lowest-MTU supported in both directions of transmission; rather
than the actual MTU of the network paths; which can be (and sometimes
are) asymmetrical.  This may seem very esoteric, but as WANs and
transit providers deploy jumbo-frames inconsistently, asymmetrical
MTUs are becoming more common. Though hopefully that day will pass.

Again, apologies if my notes are duplicative, but figured it was
better to report a dupe than to miss something.

-- 
Colm

v2.23.0 | Report a Bug | By Email