Re: [TLS] RFC 6066 - Max fragment length negotiation
Thomas Pornin <pornin@bolet.org> Fri, 17 March 2017 15:38 UTC
Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314C6129479 for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obOIV6tocW2B for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:38:01 -0700 (PDT)
Received: from brontes.bolet.org (www.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095BA1294A6 for <tls@ietf.org>; Fri, 17 Mar 2017 08:38:00 -0700 (PDT)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 58E7620821; Fri, 17 Mar 2017 16:37:59 +0100 (CET)
Date: Fri, 17 Mar 2017 16:37:59 +0100
From: Thomas Pornin <pornin@bolet.org>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170317153759.GA22929@bolet.org>
References: <1489710142144.88978@cs.auckland.ac.nz> <CABkgnnXiB5ksGbbPqDP3D=FVdQu9ht0vD8-T-5HTaEKQQE4+9w@mail.gmail.com> <1489721710740.52293@cs.auckland.ac.nz> <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com> <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com> <1489747107536.25854@cs.auckland.ac.nz> <CABkgnnUqHvc6zOL1SYP8FwBcF7SeMnnT-PJOwhMB1qqeDAcp9w@mail.gmail.com> <1489749662616.94542@cs.auckland.ac.nz> <20170317133344.GA20310@bolet.org> <20170317144448.GB26550@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170317144448.GB26550@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Rl96gWHqVLRUBNhMtuNuVgtvzmA>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 15:38:03 -0000
On Fri, Mar 17, 2017 at 04:44:48PM +0200, Ilari Liusvaara wrote: > The mere thought of someone implementing streaming processing in > C scares me. I think BearSSL autogenerates that code. Yes, actual code is in a custom Forth dialect, which is compiled to token-threaded code executed by a C interpreter. That's because if you want to implement streamed processing sanely in an imperative language (like C), then you basically need coroutines, i.e. the ability to interrupt the processing, and later on jump back to the processing. You cannot do that in plain C if you have function calls and thus a "call stack" to save and recover (and if you do not, then the code becomes insanely unreadable). You _could_ make a custom stack, but this is expensive (since the C compiler tends to create local variables at will, a custom stack would need at least 1 or 2 kB of extra RAM) and it is awfully non-portable. > Also, in TLS 1.3, certificate messages are considerably more > complicated. I don't think streaming processing of recommended-to- > support stuff is even possible. Streaming processing is ill-supported and on the decline. E.g. even with TLS 1.2, EdDSA-signed certificates cannot be processed with streaming, because the hash function computation over the to-be-signed must begin with hashing the 'R' element (which is part of the signature, and occurs _after_ the TBS) and the 'A' value (the signer's public key, which is found in the signer's certificate, that comes _after_ the current certificate in TLS 1.2 Certificate message). Since TLS 1.3 also mandates some options that may require considerable buffering (e.g. the cookies and the session tickets, both ranging up to 64 kB), one might say that, as an evolving standard, TLS 1.3 is moving away from the IoT/embedded world, and more toward a Web world. This is not necessarily _bad_, but it is likely to leave some people unsatisfied (and, in practice, people clinging to TLS 1.2). > TLS architecture does not allow this. Sending any extension in server > hello that wasn't in client hello causes loads of implementations to > just blow up (my implementation is certainly one of those). In fact, > clients are REQUIRED to. I know. BearSSL also rejects server extension that do not match client extensions. It also rejects attempts by the server at trying to negotiate a different maximum fragment length. It does so because the RFC says so (even though I agree with Peter that the standard behaviour is of questionable usefulness). > You mean maximum handshake message size and maximum record size? I mean a maximum record size for records sent by the client to the server, _and_ a maximum record size for records sent by the server to the client. Since any implementation may use distinct buffers for sending and for receiving(*), the two sizes need not match. (*) In particular, if you want to support HTTPS, where pipelining requests is allowed, an HTTPS-aware server more or less needs to have two distinct buffers for input and output. --Thomas
- [TLS] RFC 6066 - Max fragment length negotiation Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Sheehe, Charles J. (GRC-LCA0)
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nikos Mavrogiannopoulos
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Rex
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann