[TLS] Alert type for connection limit or server busy?
Chris Newman <chris.newman@oracle.com> Tue, 01 April 2014 19:35 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59431A09AD for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 12:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLlBPgOAHsXU for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 12:35:43 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 937B91A06BC for <tls@ietf.org>; Tue, 1 Apr 2014 12:35:43 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s31JZdCA007237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Tue, 1 Apr 2014 19:35:39 GMT
Received: from gotmail.us.oracle.com (gotmail.us.oracle.com [10.133.152.174]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s31JZdR1029287 for <tls@ietf.org>; Tue, 1 Apr 2014 19:35:39 GMT
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"
Received: from [10.145.239.205] (dhcp-whq-twvpn-1-vpnpool-10-159-156-15.vpn.oracle.com [10.159.156.15]) by gotmail.us.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built Jan 22 2014)) with ESMTPA id <0N3D00G1JAFD2C00@gotmail.us.oracle.com> for tls@ietf.org; Tue, 01 Apr 2014 12:35:38 -0700 (PDT)
Date: Tue, 01 Apr 2014 12:35:38 -0700
From: Chris Newman <chris.newman@oracle.com>
To: tls@ietf.org
Message-id: <EBC54843816A0E9AD64C880F@96B2F16665FF96BAE59E9B90>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M3voNUOek5o6RguVlpeD9tROwNA
Subject: [TLS] Alert type for connection limit or server busy?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 19:35:45 -0000
Is there a TLS Alert type that can be used by a TLS server to reject a TLS client connection based on a per-IP-address connection limit? The idea would be to have the server reject the connection before spending cycles on the TLS negotiation. But it's important to inform the client why the connection is rejected in order to reduce the number and severity of support calls that might be generated by such a limit if the connections were silently dropped. Another case that's interesting is when the server is temporarily overloaded and wants to reserve CPU cycles for existing connections rather than spending cycles accepting new connections. Again, it's desirable to indicate to the client the cause of this connection failure in an attempt to reduce the number and severity of support calls and also desirable not to spend unnecessary server time on the TLS negotiation. With the STARTTLS model, applications could just reject at the banner with a text error message. But with the separate-port-for-TLS model, this needs to be done in the TLS layer. I didn't see appropriate alerts in RFC 5246 section 7.2. Could alerts for these two cases be added as an extension or a TLS 1.3 feature? - Chris
- [TLS] Alert type for connection limit or server b… Chris Newman
- Re: [TLS] Alert type for connection limit or serv… Erik Nygren
- Re: [TLS] Alert type for connection limit or serv… Alyssa Rowan
- Re: [TLS] Alert type for connection limit or serv… Alyssa Rowan
- Re: [TLS] Alert type for connection limit or serv… Erik Nygren
- Re: [TLS] Alert type for connection limit or serv… Yoav Nir