Re: [TLS] new error alerts?

Jeffrey Walton <noloader@gmail.com> Thu, 23 July 2015 17:58 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC7521B2A49 for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjjUc4ID0dpo for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:58:13 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457C91B2A45 for <tls@ietf.org>; Thu, 23 Jul 2015 10:58:13 -0700 (PDT)
Received: by iecri3 with SMTP id ri3so1835311iec.2 for <tls@ietf.org>; Thu, 23 Jul 2015 10:58:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=pst3wu0ZxHHMufizNbfxsIeiH1HteyaT4qO2Dg68cVs=; b=uj+O/3RseGRo7Un5hXs8O+gXHvWFPVQtW+s7kewaX+daDwFT2qIXE3JAeVyQDDYhHb 841aGaisjVxyrrdmjhetTg/xQ4yhJaswFuyokm5O2F6BuaJnaijAcWgRJZAqYFAdW1d8 WBSRUdLhDGDgeCBqnATfNHELaXpBmFsOhpXY1gtAuJw8Rc0eX0wTlGTB3bJo3RiHfQOs Zvoz1Hlb31ZItV9lD7jK5YxTe1lu/GNT1/b6aKr7f5TP0JYGtlZjHpmtjAWlzkgnvwT2 gcvOwRIN1N1EWjhVm11xoXiOUOM4Sr+qDbUnPXGrKJKHuT8J/5WXPPskSNTMQRslN0jj 4Uuw==
MIME-Version: 1.0
X-Received: by 10.107.132.154 with SMTP id o26mr15070365ioi.3.1437664627538; Thu, 23 Jul 2015 08:17:07 -0700 (PDT)
Received: by 10.36.107.150 with HTTP; Thu, 23 Jul 2015 08:17:07 -0700 (PDT)
In-Reply-To: <201507222139.46391.davemgarrett@gmail.com>
References: <201507222139.46391.davemgarrett@gmail.com>
Date: Thu, 23 Jul 2015 11:17:07 -0400
Message-ID: <CAH8yC8n5N6G32uxU9iQWPDocLP3vZNKPRuV1povKkSuVafahBw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Nyv-BfY9xHdgeEC1G1F-1ZN2z4I>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] new error alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 17:58:16 -0000

On Wed, Jul 22, 2015 at 9:39 PM, Dave Garrett <davemgarrett@gmail.com> wrote:
> Hubert Kairo found quite a few more spots in need of explicit error designations, which have been amended into PR #201.
> https://github.com/tlswg/tls13-spec/pull/201
>
> I just noticed one error in the current draft text that was wrong and added a fix for that as well. The Server Hello section said that lack of acceptable group would result in an "insufficient_security" error, which is incorrect. That error is clearly defined to be for lack of acceptable cipher suite. The Negotiated Groups section says lack of acceptable group is a “handshake_failure” error. I changed the text to state the error for suites, as the other is already noted elsewhere. (this change is now in PR #201) This brings up a problem, however: there is no distinct error for lack of group support. The “handshake_failure” is a bit of a catchall, so there's no way for a client to really know what's wrong if this happens. This is also why I don't want to change the definition of the "insufficient_security" error. Clients rely on these being relatively precise in order to show error messages that are hopefully meaningful enough to get them fixed. As such, I'd like to propose adding a new error just for this and renaming the old one to focus precisely on its long defined meaning. While we're at it, a failure of client authentication doesn't have its own error alert code either.
>
>   enum {
>        handshake_failure(40),
>        unsupported_cipher_suites(71),  /* formerly insufficient_security */
>        unsupported_dh_groups(72),  /* new */
>        client_authentication_failure(73),  /* new */
>        (255)
>    } AlertDescription;
>
> Pretty straightforward. Are there any other errors that can't be clearly identified by the returned code? Debugging shouldn't be guesswork. ;)
>
Alert 40 shows up frequently in my debugging experiences. A few things
can cause it. It would be nice to see that one broken out.

Jeff