IETF Logo Mail Archive

Re: [TLS] close_notify and TLS 1.3

David Schinazi <dschinazi@apple.com> Sun, 12 November 2017 02:39 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D5A5128CDC for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 18:39:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGAeqAbD2wiQ for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 18:39:49 -0800 (PST)
Received: from mail-in1.asia.apple.com (mail-out.asia.apple.com [17.82.254.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B86128B90 for <tls@ietf.org>; Sat, 11 Nov 2017 18:39:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1510454381; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZOzIUSY/mvT+6z40Osr/aLJNUtYkC8xIhAb5ZBsANuM=; b=XpEe1TXUWlaUVnWiLDigL4kSNK6+huU68F9DBk1X5rnCa1T8k44grJ/TPFRXCcPS CEQoBQn/OpE4FhvsE+KHscEKuwv4y19j+A8HcyiFlfqDXnuglcP8ZqKhWNQpFhDh uFzkvaXQib7h1O2G232hSJTyOutmo8XpLz+lkcj2mACk8ybPPCyzcDdIjDS8DKp9 XHXBAimtNzkwoDFHGRhm6/IhPNjZH20UQfEYWRY/yHCtNxY3WTOoRCtAFddNzy0c 0XdMwO+V06ibFZ/W19i9lurElMZbWossTzq5/mTRNtf92U1pzjS+3/M1Ve0t2iyn 66l41F+GWpZvO9uQKQPz2w==;
Received: from relay2.asia.apple.com ( [17.82.200.16]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in1.asia.apple.com (Apple Singapore Mail Gateway) with SMTP id 77.AD.07591.D64B70A5; Sun, 12 Nov 2017 10:39:41 +0800 (MYT)
X-AuditID: 1152fe11-8cbff70000001da7-f0-5a07b46d6ea3
Received: from mmp3.asia.apple.com ( [17.84.76.250]) by relay2.asia.apple.com (Apple Singapore relay) with SMTP id C8.31.31851.D64B70A5; Sun, 12 Nov 2017 10:39:41 +0800 (MYT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_3CI51gpQ6nD4ouILePymKQ)"
Received: from [IPv6:2001:67c:370:1998:e0f4:6d59:e5c5:47fd] (nat64-46.meeting.ietf.org [31.130.238.70]) by mmp3.asia.apple.com (Oracle Communications Messaging Server 8.0.1.3.20170825 64bit (built Aug 25 2017)) with ESMTPSA id <0OZA00E4KA24JE40@mmp3.asia.apple.com>; Sun, 12 Nov 2017 10:39:41 +0800 (SGT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <3C858B74-DCEA-4FA2-88B3-0FF1242CC0E8@apple.com>
Date: Sun, 12 Nov 2017 10:39:41 +0800
In-reply-to: <CABkgnnWwPY_ksXxqDuJ5K1pY1HryszGHOp89J7cYH39iv-DcCQ@mail.gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
To: Martin Thomson <martin.thomson@gmail.com>
References: <A6C599ED-3F3D-462F-9B39-1FEF6A0B549B@apple.com> <CABkgnnU3OuzEm2gF6BYif4c0evAfzUYH-PpxoERD9xFEosQ_oQ@mail.gmail.com> <CAF8qwaB2fXoiy8RLdg9Kc+5xAoCgU2JkoHXw8H-xSsEXMWWgXg@mail.gmail.com> <CABcZeBPHGNHBtx4c3=jPS8-PJDHF3E608KoDswJucbaiFFkYwg@mail.gmail.com> <CABkgnnWwPY_ksXxqDuJ5K1pY1HryszGHOp89J7cYH39iv-DcCQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.1.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLLMWRmVeSWpSXmKPExsUiGHRCQDd3C3uUwZcv4hYrXp9jt7h25h+j xafzXYwOzB47Z91l91iy5CeTx+THbcwBzFFcNimpOZllqUX6dglcGXO3zGQseJtR8XR9G2MD 4+nILkYODgkBE4n7tzO6GLk4hARWMkkc7/3B2MXICRbvu3STHSKxgVHi3dznYAleAUGJH5Pv sYDYzAJhEjMOboIq2sUk8enGZbAiYQFpia4Ld1lBNrAJaEkcWGME0Wsj8WzZExaIEm2J9U0v mUBsFgFVifU928HinALBEtN/PWeDmG8vsaT7KSuILSKgK7Ho7AOoXTeYJA7snMwMcamixJGZ c5hBEhICa9gkzp7bwD6BUWgWkmNnITl2FtBNzALqElOm5EKEtSWevLvACmGrSSz8vYgJWXwB I9sqRvHcxMwc3cw8Q73E4sxEvcSCgpxUveT83E2M4Ej5J7iDcepCw0OMAhyMSjy8fsAIEmJN LCuuzD3EKMHBrCTCWyIEFOJNSaysSi3Kjy8qzUktPsQozcGiJM7bF/kpUkggPbEkNTs1tSC1 CCbLxMEp1cAoOjvu3P7Lqxuy1zMv8mH8bXMo6v3ax6FLJ0huOv+h7/2Tp03COQubY0s3dBn/ FXHuE6pYuv/XOtmF/IaTU02kTspW9/49s3CW3AFrkWVrGj6JTWTLrvhqsEfQ0GVNjsSc/78i 29VETnz/f9Sw+KU5Q/yKtXVSEhuku29wba78L3lt/5knbUs+KrEUZyQaajEXFScCAM4pnG6Q AgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUiGOLzSzd3C3uUQeN8AYsVr8+xW1w784/R 4tP5LkYHZo+ds+6yeyxZ8pPJY/LjNuYA5igum5TUnMyy1CJ9uwSujLlbZjIWvM2oeLq+jbGB 8XRkFyMnh4SAiUTfpZvsXYxcHEICGxgl3s19zgiS4BUQlPgx+R4LiM0sECYx4+AmqKJdTBKf blwGKxIWkJbounCXtYuRg4NNQEviwBojiF4biWfLnrBAlGhLrG96yQRiswioSqzv2Q4W5xQI lpj+6zkbxHx7iSXdT1lBbBEBXYlFZx9A7brBJHFg52RmiEsVJY7MnMM8gZF/FpL7ZiG5bxbQ GcwC6hJTpuRChLUlnry7wAphq0ks/L2ICVl8ASPbKkbRotScxEojvcTizES9xIKCnFS95Pzc TYyg0A46IbCDcdYhg0OMAhyMSjy8yRvZo4RYE8uKK3MPMUpwMCuJ8JYIAYV4UxIrq1KL8uOL SnNSiw8xSnOwKInzakZ9ihQSSE8sSc1OTS1ILYLJMnFwSjUwZs/66v6gRNrBouJ6veRynpMM gvNP8BrdYdNexXTuvs2NQ9W+U7fmV2x6WzE9N/fC/o9LH/Qr/RcUfZ08K9Y0lplJ8b3Pe9VI xozLTPNZnlophJX479CetLndpo5Jbdb+TXdi2ELd9jcm8D69ZqA6838Dx+3cVF9zb8M1GnH6 507P6bx7htVHiaU4I9FQi7moOBEAi+HYO2kCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/M-yIC7-emW5-SP5B0TClKanSwZU>
Subject: Re: [TLS] close_notify and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2017 02:39:51 -0000

I've sent out a PR:
https://github.com/tlswg/tls13-spec/pull/1092 <https://github.com/tlswg/tls13-spec/pull/1092>

It might be a little verbose but I think it explains and solves the problem.
Please let me know what you think!

Thanks,
David Schinazi


> On Nov 12, 2017, at 09:47, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> We suppress the sending of a close_notify if we have received one, but
> that's a fairly simple thing to correct.
> 
> On Sun, Nov 12, 2017 at 9:13 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> Initial inspection suggests that NSS behaves the same way, so I would be
>> fine with this change.
>> 
>> -Ekr
>> 
>> 
>> On Sat, Nov 11, 2017 at 3:46 PM, David Benjamin <davidben@chromium.org>
>> wrote:
>>> 
>>> I think this change is a good idea.
>>> 
>>> Our implementation actually does this already anyway. We are happy to
>>> continue servicing writes even when the read half has consumed a
>>> close_notify. I believe we inherited this behavior from OpenSSL, so it
>>> should be there too. Go's crypto/tls implementation appears to also already
>>> do this.
>>> 
>>> We don't have a particular need for the half-close semantics that I know
>>> of, but I don't care for the current spec text (it requires yet another
>>> undesirable read/write sync point). Aligning with TCP's semantics is also
>>> generally a good default.
>>> 
>>> On Sat, Nov 11, 2017 at 11:18 PM Martin Thomson <martin.thomson@gmail.com>
>>> wrote:
>>>> 
>>>> This seems like it might be worth looking at.  This seems to be
>>>> something that harks back to SSL3 or even earlier.  We aren't going to
>>>> make it so that you can rely on this behaviour, but we might be able
>>>> to make it possible to half-close, which for new protocols using TLS
>>>> could be hugely useful.
>>>> 
>>>> On Sat, Nov 11, 2017 at 5:21 PM, David Schinazi <dschinazi@apple.com>
>>>> wrote:
>>>>> Hello all,
>>>>> 
>>>>> Currently TLS 1.3 specifies close_notify in the same way that TLS 1.2
>>>>> did.
>>>>> I believe that has issues and this might be the right time to fix them.
>>>>> The purpose of close_notify is to protect against data truncation
>>>>> attacks,
>>>>> each side is required to send close_notify before closing the write
>>>>> side of
>>>>> the transport connection so the other side knows that the data was not
>>>>> truncated.
>>>>> As such, close_notify only needs half-close semantics to prevent
>>>>> truncation.
>>>>> 
>>>>> However, the specification contains the following text:
>>>>> << Each party MUST send a “close_notify” alert before closing the write
>>>>> side
>>>>>    of the connection, unless some other fatal alert has been
>>>>> transmitted.
>>>>>    The other party MUST respond with a “close_notify” alert of its own
>>>>> and
>>>>> close
>>>>>    down the connection immediately, discarding any pending writes. >>
>>>>> 
>>>>> This means that an application-layer client can't send a query then
>>>>> close
>>>>> their
>>>>> write transport when they know that they're done, because the server
>>>>> would
>>>>> terminate the TLS session before sending the reply. On top of this,
>>>>> when
>>>>> the server receives the close_notify, it may have already sent part of
>>>>> the
>>>>> reply
>>>>> (or wrote it to the socket send buffer) so the responding close_notify
>>>>> would
>>>>> in effect be inflicting a truncation attack on the client.
>>>>> 
>>>>> This doesn't make much difference for HTTP because clients already
>>>>> don't close their write transport after sending a reply, however having
>>>>> the
>>>>> option do do this could allow innovation in new protocols that can
>>>>> define
>>>>> the semantics of when they use close_notify. An example is DNS PUSH:
>>>>> https://tools.ietf.org/html/draft-ietf-dnssd-push
>>>>> 
>>>>> A proposal to solve this problem would be to give close_notify
>>>>> half-close
>>>>> semantics: we keep the requirements that a close_notify be sent before
>>>>> closing the transport, and that any data received after a close_notify
>>>>> is
>>>>> ignored, but we simply remove the requirement to immediately reply
>>>>> with a close_notify. This has the advantage that current
>>>>> implementations
>>>>> are already compliant but future ones can leverage this improvement.
>>>>> 
>>>>> What do you think? Is this worth discussing on Thursday?
>>>>> 
>>>>> Thanks,
>>>>> David Schinazi
>>>>> 
>>>>> _______________________________________________
>>>>> TLS mailing list
>>>>> TLS@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>> 
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>> 
>> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email