IETF Logo Mail Archive

Re: [TLS] RFC 6066 - Max fragment length negotiation

Thomas Pornin <pornin@bolet.org> Fri, 17 March 2017 15:38 UTC

Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314C6129479 for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obOIV6tocW2B for <tls@ietfa.amsl.com>; Fri, 17 Mar 2017 08:38:01 -0700 (PDT)
Received: from brontes.bolet.org (www.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095BA1294A6 for <tls@ietf.org>; Fri, 17 Mar 2017 08:38:00 -0700 (PDT)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 58E7620821; Fri, 17 Mar 2017 16:37:59 +0100 (CET)
Date: Fri, 17 Mar 2017 16:37:59 +0100
From: Thomas Pornin <pornin@bolet.org>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170317153759.GA22929@bolet.org>
References: <1489710142144.88978@cs.auckland.ac.nz> <CABkgnnXiB5ksGbbPqDP3D=FVdQu9ht0vD8-T-5HTaEKQQE4+9w@mail.gmail.com> <1489721710740.52293@cs.auckland.ac.nz> <CABkgnnWq_5e8TJgJV+okqi6vo-_5=811pOZRtUCp0TD07SmNoQ@mail.gmail.com> <CABkgnnW=Pz+6M8UYoB+MTY8rQp9vsHyh6aqiSb3EbTT_BdWokA@mail.gmail.com> <1489747107536.25854@cs.auckland.ac.nz> <CABkgnnUqHvc6zOL1SYP8FwBcF7SeMnnT-PJOwhMB1qqeDAcp9w@mail.gmail.com> <1489749662616.94542@cs.auckland.ac.nz> <20170317133344.GA20310@bolet.org> <20170317144448.GB26550@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170317144448.GB26550@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Rl96gWHqVLRUBNhMtuNuVgtvzmA>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 15:38:03 -0000

On Fri, Mar 17, 2017 at 04:44:48PM +0200, Ilari Liusvaara wrote:
> The mere thought of someone implementing streaming processing in
> C scares me. I think BearSSL autogenerates that code.

Yes, actual code is in a custom Forth dialect, which is compiled to
token-threaded code executed by a C interpreter. That's because if you
want to implement streamed processing sanely in an imperative language
(like C), then you basically need coroutines, i.e. the ability to
interrupt the processing, and later on jump back to the processing. You
cannot do that in plain C if you have function calls and thus a "call
stack" to save and recover (and if you do not, then the code becomes
insanely unreadable). You _could_ make a custom stack, but this is
expensive (since the C compiler tends to create local variables at will,
a custom stack would need at least 1 or 2 kB of extra RAM) and it is
awfully non-portable.


> Also, in TLS 1.3, certificate messages are considerably more
> complicated. I don't think streaming processing of recommended-to-
> support stuff is even possible.

Streaming processing is ill-supported and on the decline. E.g. even with
TLS 1.2, EdDSA-signed certificates cannot be processed with streaming,
because the hash function computation over the to-be-signed must begin
with hashing the 'R' element (which is part of the signature, and occurs
_after_ the TBS) and the 'A' value (the signer's public key, which is
found in the signer's certificate, that comes _after_ the current
certificate in TLS 1.2 Certificate message).

Since TLS 1.3 also mandates some options that may require considerable
buffering (e.g. the cookies and the session tickets, both ranging up to
64 kB), one might say that, as an evolving standard, TLS 1.3 is moving
away from the IoT/embedded world, and more toward a Web world. This is
not necessarily _bad_, but it is likely to leave some people unsatisfied
(and, in practice, people clinging to TLS 1.2).


> TLS architecture does not allow this. Sending any extension in server
> hello that wasn't in client hello causes loads of implementations to
> just blow up (my implementation is certainly one of those). In fact,
> clients are REQUIRED to.

I know. BearSSL also rejects server extension that do not match client
extensions. It also rejects attempts by the server at trying to
negotiate a different maximum fragment length. It does so because the
RFC says so (even though I agree with Peter that the standard behaviour
is of questionable usefulness).


> You mean maximum handshake message size and maximum record size?

I mean a maximum record size for records sent by the client to the
server, _and_ a maximum record size for records sent by the server to
the client. Since any implementation may use distinct buffers for
sending and for receiving(*), the two sizes need not match.


(*) In particular, if you want to support HTTPS, where pipelining
requests is allowed, an HTTPS-aware server more or less needs to
have two distinct buffers for input and output.


	--Thomas

v2.23.0 | Report a Bug | By Email