IETF Logo Mail Archive

[TLS] close_notify and TLS 1.3

David Schinazi <dschinazi@apple.com> Sat, 11 November 2017 09:21 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828D81294B9 for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 01:21:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVJRfAMiLpAc for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 01:21:14 -0800 (PST)
Received: from mail-in1.asia.apple.com (mail-out.asia.apple.com [17.82.254.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E98712949F for <tls@ietf.org>; Sat, 11 Nov 2017 01:21:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1510392071; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TDXiU6L93aAaMEbltReZ7/Jkr4wJrxbqVkrrh78v2ho=; b=2mn/b+/mNE8nxtrJXR5ag3wQEzBP1OewEpDqGchnKYxlP1s0mSnT4Sg5EXdHaztg x8FXM7OhHhRFMhAanNkpjMsiCZphrw0SLzmzH9K/3yJ6H0+y8O5BRYP+ATNfQvGt x9UeWN1DDV6j17/mKxLpdKSllPBoshSCG2K1V5kRgV+bRON0BOXWw/H8zSFRV5lW UGcNebN5fw+mOrWmjLdZ/0E/ygRh4L/7WbBiCYrbxQ4M8gjo7EwQxgfXVNjALpjX xeqd2qwn5zrf7e+zpDdSLYVFXsDpAYAK/YcbbMOgHIE0cD+2yOUorXwJbiz8GVTi XbKYsB/ItGB+eH/yXDQOrA==;
Received: from relay2.asia.apple.com ( [17.82.200.16]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in1.asia.apple.com (Apple Singapore Mail Gateway) with SMTP id 67.39.07591.701C60A5; Sat, 11 Nov 2017 17:21:11 +0800 (MYT)
X-AuditID: 1152fe11-8cbff70000001da7-54-5a06c107914c
Received: from mmp3.asia.apple.com ( [17.84.76.250]) by relay2.asia.apple.com (Apple Singapore relay) with SMTP id 92.39.31851.701C60A5; Sat, 11 Nov 2017 17:21:11 +0800 (MYT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_2Mp+PFhWOsbjWXj1wK7AxQ)"
Received: from dhcp-88ad.meeting.ietf.org (dhcp-88ad.meeting.ietf.org [31.133.136.173]) by mmp3.asia.apple.com (Oracle Communications Messaging Server 8.0.1.3.20170825 64bit (built Aug 25 2017)) with ESMTPSA id <0OZ800AEZXZB1970@mmp3.asia.apple.com> for tls@ietf.org; Sat, 11 Nov 2017 17:21:11 +0800 (SGT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <A6C599ED-3F3D-462F-9B39-1FEF6A0B549B@apple.com>
Date: Sat, 11 Nov 2017 17:21:11 +0800
To: tls@ietf.org
X-Mailer: Apple Mail (2.3445.1.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMLMWRmVeSWpSXmKPExsUiGHRCQJf9IFuUQecODYtP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsbL3K1PBP/2KmZM2sDQwvtDoYuTkkBAwkfh8/BtbFyMXh5DA SiaJA1/eM3cxcoAlvnwRhohvYJToOnaEDaSBV0BQ4sfkeywgNrNAmMTMz0/ZIYp2M0m0fnvN DpIQFpCW6LpwlxVkEJuAlsSBNUYQYUWJfy8mMkHMsZH413AGzGYRUJX4fPsSI0i5iICARPNL MYjbFCWOzJzDDDJeQuAlq8Sss89ZJjDyz0JyxiwkZ8wCamcWUJeYMiUXIqwt8eTdBVYIW01i 4e9FTMjiCxjZVjGK5yZm5uhm5hnqJRZnJuolFhTkpOol5+duYgQH7T/BHYxTFxoeYhTgYFTi 4c1bwBYlxJpYVlyZe4hRgoNZSYSXLQwoxJuSWFmVWpQfX1Sak1p8iFGag0VJnLcv8lOkkEB6 YklqdmpqQWoRTJaJg1OqgXHKiqUPoqJ2rP0/uX9aePX7TTE6b6S2/5Wd+P/dE5+ZAgx/LM12 iWkwur3I4DGpVy9PYTq/5d7ZDR7p/OdnnJ9v+3nu/EUCHj/c81SnCNsbaDeztsdfPHFxllGX /moFu1hprlMzup3sZAx1Tv0quLTt6LsZPnc8brjUPduw7s7Et175v6ZvydyuxFKckWioxVxU nAgAuhWD51YCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNLMWRmVeSWpSXmKPExsUiGOLzS5f9IFuUwew/ChafzncxOjB6LFny kymAMYrLJiU1J7MstUjfLoErY2XvV6aCf/oVMydtYGlgfKHRxcjBISFgIvHli3AXIxeHkMAG RomuY0fYuhg5OXgFBCV+TL7HAmIzC4RJzPz8lB2iaDeTROu31+wgCWEBaYmuC3dZQQaxCWhJ HFhjBBFWlPj3YiITxBwbiX8NZ8BsFgFVic+3LzGClIsICEg0vxQDCUsAlR+ZOYd5AiPPLCSb ZyHZPAuog1lAXWLKlFyIsLbEk3cXWCFsNYmFvxcxIYsvYGRbxShalJqTWGmkl1icmaiXWFCQ k6qXnJ+7iREUZEEnBHYwzjpkcIhRgINRiYc3bwFblBBrYllxZe4hRgkOZiURXrYwoBBvSmJl VWpRfnxRaU5q8SFGaQ4WJXFezahPkUIC6YklqdmpqQWpRTBZJg5OqQbGJY1+6tIBpV9m1pop LstSv6Oe8/TmHjXBIDlDztMXs+6GM29YFN/j+1KtQ3iy49JfObfvi8/maGftsevnds2yei7F YPfQqz/9XM2qWn09uaepsp2Hz1o4qeVNVt3/m6ly6yZ7peAGWTHf7IiyHL9JThOSj5/7KDtl O3Pqhk9FeTnTHI5cTVFiKc5INNRiLipOBAC4kjlkLgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V47DfS4qdsdrF2QLHogsw_aNp9M>
Subject: [TLS] close_notify and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2017 09:21:16 -0000

Hello all,

Currently TLS 1.3 specifies close_notify in the same way that TLS 1.2 did.
I believe that has issues and this might be the right time to fix them.
The purpose of close_notify is to protect against data truncation attacks,
each side is required to send close_notify before closing the write side of
the transport connection so the other side knows that the data was not truncated.
As such, close_notify only needs half-close semantics to prevent truncation.

However, the specification contains the following text:
<< Each party MUST send a “close_notify” alert before closing the write side
    of the connection, unless some other fatal alert has been transmitted.
    The other party MUST respond with a “close_notify” alert of its own and close
    down the connection immediately, discarding any pending writes. >>

This means that an application-layer client can't send a query then close their
write transport when they know that they're done, because the server would
terminate the TLS session before sending the reply. On top of this, when
the server receives the close_notify, it may have already sent part of the reply
(or wrote it to the socket send buffer) so the responding close_notify would
in effect be inflicting a truncation attack on the client.

This doesn't make much difference for HTTP because clients already
don't close their write transport after sending a reply, however having the
option do do this could allow innovation in new protocols that can define
the semantics of when they use close_notify. An example is DNS PUSH:
https://tools.ietf.org/html/draft-ietf-dnssd-push <https://tools.ietf.org/html/draft-ietf-dnssd-push>

A proposal to solve this problem would be to give close_notify half-close
semantics: we keep the requirements that a close_notify be sent before
closing the transport, and that any data received after a close_notify is
ignored, but we simply remove the requirement to immediately reply
with a close_notify. This has the advantage that current implementations
are already compliant but future ones can leverage this improvement.

What do you think? Is this worth discussing on Thursday?

Thanks,
David Schinazi

v2.23.0 | Report a Bug | By Email