IETF Logo Mail Archive

[TLS] Alert after sending ServerHello

Roelof Du Toit <Roelof_Dutoit@symantec.com> Wed, 26 April 2017 03:01 UTC

Return-Path: <Roelof_Dutoit@symantec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65DCC124D68 for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 20:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zx-eoN573dJx for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 20:01:48 -0700 (PDT)
Received: from asbsmtoutape02.symantec.com (asbsmtoutape02.symantec.com [155.64.138.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1AA312426E for <tls@ietf.org>; Tue, 25 Apr 2017 20:01:48 -0700 (PDT)
Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat8.net.symantec.com [10.90.75.8]) by asbsmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id B6.A0.55425.A9D00095; Wed, 26 Apr 2017 03:01:46 +0000 (GMT)
X-AuditID: 0a5af81a-83de59a00000d881-e9-59000d9a7f99
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat7.net.symantec.com [10.90.75.7]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 97.66.04315.79D00095; Wed, 26 Apr 2017 03:01:46 +0000 (GMT)
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Tue, 25 Apr 2017 20:01:42 -0700
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.128.10) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Tue, 25 Apr 2017 20:01:43 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=4Ga4J204njp6QmPxQ9YzKkPYqFOHVe/rd+HqeI1J6Kw=; b=X2Ra4TRWwU0RetJrtY5o8qqFDIcSs9LplrXHZY67Z457NVyeumeJV92zSV5u713BGfhv9KbZE+ZxO5zGpE2fGn6e+7etX8ByFvpUEqvelRQnhJEyxruf2D80SP/2rKLFXZGY/kfz8ZQLIqx6STZJapuRGhmTxxQ/CWUlCDot2z4=
Received: from DM5PR16MB1834.namprd16.prod.outlook.com (10.172.45.9) by DM5PR16MB1834.namprd16.prod.outlook.com (10.172.45.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1047.13; Wed, 26 Apr 2017 03:01:41 +0000
Received: from DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) by DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) with mapi id 15.01.1047.019; Wed, 26 Apr 2017 03:01:40 +0000
From: Roelof Du Toit <Roelof_Dutoit@symantec.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Alert after sending ServerHello
Thread-Index: AQHSvjlr+zNFNWUWWk+l9HsX/u+t/g==
Date: Wed, 26 Apr 2017 03:01:40 +0000
Message-ID: <EAF9D3D6-A87D-450D-BCFB-36F8CDC8B14F@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=symantec.com;
x-originating-ip: [24.112.242.116]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1834; 7:0cC2wFwLXJCqACtBwdHdF7lVeLDawNINYK3GcyMRrksAriTWwQmji55mA9PHA2kgdmCxH0lQW3d4fQHOouKNzzqNjfhh7JFYdDCas09QPaThNzdqyy0vnXCD9M+Z4EX5om7nNJr+rPsQ5FQ+ftXqyiliutMp9lllDGv4pFFUlQz2+Bnz5gd9Q+MFvk4G8fA3h/a0KhYVd/ge6KuKxyOMgA1kYfaa0PjR8b9ALoxBHLblkXrNnK8ubOeisyI0NON0+jUag7t0gBdpSa2aBwvZQfW6+M0BTeex1aQbm7lh97ch234LZ25/zChHrHz4F1WnHpgkBpeyn1ufcRpQ7IrPFA==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39410400002)(39400400002)(39450400003)(39850400002)(36756003)(15650500001)(50986999)(2420400007)(2501003)(54356999)(3480700004)(6916009)(7736002)(80792005)(7110500001)(189998001)(8936002)(81166006)(8676002)(66066001)(1730700003)(86362001)(122556002)(110136004)(38730400002)(53936002)(25786009)(6486002)(77096006)(6506006)(2906002)(10710500007)(6306002)(54896002)(99286003)(6512007)(33656002)(6436002)(102836003)(6116002)(3846002)(5640700003)(10290500003)(82746002)(2351001)(83716003)(3660700001)(3280700002)(5660300001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1834; H:DM5PR16MB1834.namprd16.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-ms-office365-filtering-correlation-id: f4a27225-6aa7-4365-76ae-08d48c508fc1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:DM5PR16MB1834;
x-microsoft-antispam-prvs: <DM5PR16MB1834B70A675846159078C42FFA110@DM5PR16MB1834.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(20161123555025)(20161123564025)(20161123560025)(6072148); SRVR:DM5PR16MB1834; BCL:0; PCL:0; RULEID:; SRVR:DM5PR16MB1834;
x-forefront-prvs: 0289B6431E
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_EAF9D3D6A87D450DBCFB36F8CDC8B14Fsymanteccom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2017 03:01:40.0803 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1834
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA01Se0hTYRT3271zd6vR51x5WPlaDyzxidFLSojIWi+KSKWo67zkULexTUnB ssSazsp0oG7NpS1CjaLoYSoUEwWVfPTANAuWZlpg5h8+KK3d3Qn+8/E7v9/vHM4536EIyXO+ jFKpDYxOTWfKfUWkKEVBRVjEPsnR1u8B26d7S1ACSnQ45nnHUIooPo3JVOUwuqjd50TpzsJw rfHkheraZl4B+nS8BAkpwHFww1KFSpCIkuDfCBxXfxFLgrnRSXDCLIIfFXXeoB3BdE0hYl0S PIGgzaVlBRIXEzA781XAuSp48PJjGckFTgSFzhoBm+KLY2D+dTmfxVIcCk0fTG6eovxxGDzu VXN0BFSaqwmWluJIKJk6zdIk3gil9VYei8V4D7Q3NniaQHgNzHY98PAEDoChUTuPGwGDo7XX O85qmBhZ5LPtIGxC8Kz1FeIEOXS1FZAcDoS3dpNnGYBLCbg/aSW5oIMP1xu+eMsehkUXtwzA NxGMW23eUhnQ+K5KwGEFvOga8Gb388B4a47PzgN4Hdx9c4b1+GMZfH5fjMpQuGVZ6xxWwk9T vQeLsR90Vo+SFnc2gTfDo+YozhIKZpNLwOEwKLpt8+JE6Km1k8s9dxDVgEJofao+y6DJNtBa Jjo2Up+bpWQf2n1LykilJusJ8lzTnKwJjQ4fciJMIflKcbrQJ1nCp3PcTvcvUoRcKu53/EuS iNPo3DxGpzmry85k9E60liLlAeLhmqEkCT5PG5gMhtEyuiWVRwllBWiTFSW3REGcaptEf8rh UnT3NXd39zy0LPTMGBcGw+8Fnbg8vm9yw9bozolY9cwq/qDcHLe+I2Fn1bcrLTphXzYKtk3u Nx6tE408XZEfStsCU3zj63cMBEcUKeYS/KaCFHtVi5pLvdK+2ANjY5VH7Kn5QbsOGv4oyy+G XMuT/02Tk/p0OmYLodPT/wHctwPjSQMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFKsWRmVeSWpSXmKPExsXCFeXNrjuLlyHS4ONNDotP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcahZu6AjtGLmwl1MDYy3g7oYOTkkBEwkpqw+xNzFyMUhJPCd UeLV5EVQzlFGiU/zmhlBqoQEXjJKHH5YAJJgEehklvj+7RE7RNVkJomdNyawQDiHGCWaD81j B2lhEzCU+HlgEiuILSKgKLHjajdQnINDWEBDYuP5PIiwrsT0KTOZQcIiAnoSXR9iQMIsAqoS PStnM4HYvAL2EkdXrwI7glFATOL7qTVgcWYBcYlbT+YzQbwgILFkz3lmCFtU4uXjf6wg5zAK dDNKbN2znxEioSRx6nADC4QtK3FpfjcjSJGEQA+zxPJ3s1kgnGOsEr2r7kGN9ZX49xASGBIC /YwSL2bPhRqVLbH68gx2CNtbYvup61DdF5kkOib+YAX5R0JARmLx2ViQGmEBKYm7VzoZIWwZ iRd39rJC/JAs8bp7JdMERvVZSF6ahSQ1CxwEghInZz5hmQU0lVlAU2L9Ln2IEkWJKd0P2SFs DYnWOXOhbA+JcwvnsyCrWcDIsYpRIbE4qTi3JLckMbEg08BQr7gyNxlEJAKTUrJecn7uJkZw YvottoPxwB+fQ4wCHIxKPLwNHAyRQqyJZUCVhxilOViUxHmX/7wVISSQnliSmp2aWpBaFF9U mpNafIiRiYNTqoGRJ+Gg6d5rvSG6KdEzE1KEl6WXqfZ95DC7fz7zYFpOQnmG+du7ZwXXNXGw ZR4/FC76Yaf03t7PkhnuIcorS1782urjsy++LfNjnp2aVZ8c0413fuc5S9UfuMS8/yNr63Kp L3bb0pwQyfz43tbTWhGzo+ZKyOaeiVvbnpXF2q8Umf3ZyX6quBJLcUaioRZzUXEiAHnwC1Yt AwAA
X-CFilter-Loop: ASB03
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fksflm9IwUGnD5y9aObHjwAN9_s>
Subject: [TLS] Alert after sending ServerHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 03:01:50 -0000

During interop testing with an open-source stack I ran into the following:
CH ---->
<---- SH,{EE,Cert,CV,Fin}
alert ---->

The alert was due to a decode error on CV, and the stack in question sent the alert in a plaintext record.

The current draft specification has the following text in section 6:
"Like other messages, alert messages are encrypted as specified by the current connection state."
.. and the following in section 5.1:
"Once record protection has started, TLSPlaintext records are protected"

I expected the alert above to be sent in a ciphertext record, but I can also see the client sending plaintext alerts for ServerHello decode failures.
My conclusion is that the TLS 1.3 record layer on the server side should support receiving both ciphertext and plaintext records after ServerHello has been sent.

One way for the server to handle the scenario above is to defer using client_handshake_traffic_secret until the first app_data record is received.   That idea falls flat when the client is also sending early data and the server wants to ignore the early data using trial decrypt with client_handshake_traffic_secret:

CH ---->
(ed) -----X (discard)
       ...---- SH
(ed) ----X (trial decrypt + discard)
<---...
alert ---->

Another way this could work is if the server allows one (and only one) plaintext record (with ContentType = alert) from the client during the window where it has sent the SH,{EE,Cert,CV,Fin} sequence and is waiting for the client's first encrypted handshake message.

I would appreciate a recommendation in order to avoid future interop issues.

--Roelof

v2.23.0 | Report a Bug | By Email