Re: [TLS] Should we require implementations to send alerts?

Hubert Kario <hkario@redhat.com> Mon, 21 September 2015 10:36 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 643211B3056 for <tls@ietfa.amsl.com>; Mon, 21 Sep 2015 03:36:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgvPPwL1TEg6 for <tls@ietfa.amsl.com>; Mon, 21 Sep 2015 03:35:59 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C10E1B3055 for <tls@ietf.org>; Mon, 21 Sep 2015 03:35:59 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id B696F461C8; Mon, 21 Sep 2015 10:35:58 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-251.brq.redhat.com [10.34.0.251]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t8LAZuKI010986 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 21 Sep 2015 06:35:58 -0400
From: Hubert Kario <hkario@redhat.com>
To: Bill Frantz <frantz@pwpconsult.com>
Date: Mon, 21 Sep 2015 12:35:55 +0200
Message-ID: <9623382.T7XJxfISNY@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.1.6-201.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <r422Ps-1075i-3B82546B4DC5476384C28CF00E026822@Williams-MacBook-Pro.local>
References: <r422Ps-1075i-3B82546B4DC5476384C28CF00E026822@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2142032.JjEvDIbTuD"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XRVa5eIQ8BVot8G_4oxKLm0_Z7w>
Cc: tls@ietf.org
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2015 10:36:00 -0000

On Friday 18 September 2015 15:13:37 Bill Frantz wrote:
> On 9/18/15 at 4:27 AM, hkario@redhat.com (Hubert Kario) wrote:
> >except that a TLS1.3 version intolerant implementation won't
> >show its ugly head until TLS1.4 gets deployed
> 
> Is there a reason a test suite can't offer TLS 1.4, even if we
> don't know what it is?

There is no reason. In fact, any test suite should basically start with 
this (it being one of the very first fields the server needs to handle).

> The TLS implementation under test should
> gracefully step back to TLS 1.3.

correct

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic