Re: [TLS] Alert after sending ServerHello
mrex@sap.com (Martin Rex) Wed, 26 April 2017 12:25 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D8F129B6F for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 05:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klnsFLfh8fNL for <tls@ietfa.amsl.com>; Wed, 26 Apr 2017 05:25:36 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31540129B71 for <tls@ietf.org>; Wed, 26 Apr 2017 05:25:36 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3wCfRy2MkMz26sF; Wed, 26 Apr 2017 14:25:34 +0200 (CEST)
X-purgate-ID: 152705::1493209534-00002B31-C6141706/0/0
X-purgate-size: 1478
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3wCfRx1zT2zGprM; Wed, 26 Apr 2017 14:25:33 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 34A0D1A698; Wed, 26 Apr 2017 14:25:33 +0200 (CEST)
In-Reply-To: <20170426071952.GA29159@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Wed, 26 Apr 2017 14:25:33 +0200
CC: Martin Thomson <martin.thomson@gmail.com>, Roelof Du Toit <Roelof_Dutoit@symantec.com>, "tls@ietf.org" <tls@ietf.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170426122533.34A0D1A698@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HEW33x5KnTmx_1npTClmQXwWZx4>
Subject: Re: [TLS] Alert after sending ServerHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 12:25:38 -0000
Ilari Liusvaara wrote: >> In effect, we assume that the entire flight is processed atomically >> and generate errors based on that. Only when the entire flight is >> processed cleanly do we install keys and respond. > > My implementation processes message-by-message. So it installs the > client handshake keys after ServerHello. > >> This is a pain for us, we don't have the code that Ilari talks about, >> so some of our tests end up hitting decode errors on the server, but >> it's been manageable thus far. > > The code I was talking about was handling the special case that the > server might receive either encrypted or unencrypted alert in response > to its flight. And the difference it makes is just what error is > declared as abort reason. Up to TLSv1.2 there was no confusion about whether a TLS record was encrypted or not: everything before "ChangeCipherSpec" is cleartext, everything thereafter is encrypted. Easy and straightforward solution would be to add the (meta-)information whether the Contents of a TLSv1.3 record are encrypted or not into the outer ContentType field, i.e. define an additional "encrypted Alert" content type and ensure that Alerts ContentTypes are always visible in the traditional TLS record header (rather than the bogus/futile attempt to hide this information). Having to do heuristics on something that can be easily deterministically tagged as one or the other, seems a little odd. -Martin
- [TLS] Alert after sending ServerHello Roelof Du Toit
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] Alert after sending ServerHello Benjamin Kaduk
- Re: [TLS] Alert after sending ServerHello Martin Rex
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] [EXT] Re: Alert after sending ServerHel… Roelof Du Toit
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Martin Thomson