Re: [TLS] new error alerts?

Dave Garrett <davemgarrett@gmail.com> Thu, 23 July 2015 20:01 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296561A8836 for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 13:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 676MTjJlnh5F for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 13:01:15 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3069D1A87C7 for <tls@ietf.org>; Thu, 23 Jul 2015 13:01:15 -0700 (PDT)
Received: by qkdl129 with SMTP id l129so2083747qkd.0 for <tls@ietf.org>; Thu, 23 Jul 2015 13:01:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=qHcjMRvf9gFRZ5hVPOJTNzSEskoNWJoXGqSDqxCSB7U=; b=Swg/Z6Fu9mNfae7NRW1s861Bh8Sb8av2FfxRhyGNUqp0KypamcDO87OFF6Uc9WFvuh 2dMafggLkDoyipNutorJr5XN0e6DoOw4DH4wFYnb+AozoB7Z12/jeuS5uKTEKiHF2/ut +MBRv/w1Vv8kNp+R+Bp0Rymg3OT8tr4rF16NxCP9PGWfCGz1mHau41geOmSvE40TjhYc zpaACbyCcrNIfomgY5YMzArK5b2DoOgBFGYa/QV+caFgo6pv/hMrHD4OPKHzuLtDj3jY 410pNOdfNjRjqtO7y4Mp4x4mVv3Y23VNOVJtFi3QzXQwlvFhSjLelr6OXslKp3n+OkBZ Z+cQ==
X-Received: by 10.140.151.203 with SMTP id 194mr15550382qhx.80.1437681674498; Thu, 23 Jul 2015 13:01:14 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by smtp.gmail.com with ESMTPSA id b196sm2925937qka.14.2015.07.23.13.01.13 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 23 Jul 2015 13:01:14 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Aaron Zauner <azet@azet.org>
Date: Thu, 23 Jul 2015 16:01:12 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201507222139.46391.davemgarrett@gmail.com> <201507231426.20542.davemgarrett@gmail.com> <55B140FA.4060705@azet.org>
In-Reply-To: <55B140FA.4060705@azet.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201507231601.13026.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HxfiGef1B124vwGT8XY0Yi8ew3I>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] new error alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 20:01:20 -0000

On Thursday, July 23, 2015 03:31:06 pm Aaron Zauner wrote:
> Fine with that. Now that I think about it again; I'm also fine with the
> original proposal. The thing is 'insufficient security' has a nicer ring
> to it than 'unsupported XYZ'.

It's wrong, though. If a server rejects a client connection because the server only supports RC4 and the client doesn't, the correct error for the server to return is "insufficient_security". If you invert the meaning, I guess the server has insufficient security, but it's not the same.

If we're ok with a complete change, then I'll just go with the "unsupported_X" format as there's already an "unsupported_certificate" and "unsupported_extension".

I'll stick a commit for this into my ever growing PR #201 in a bit.


Dave