Re: [TLS] close_notify and TLS 1.3
Hubert Kario <hkario@redhat.com> Mon, 13 November 2017 14:38 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BAC8129AAA for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 06:38:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.92
X-Spam-Level:
X-Spam-Status: No, score=-6.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3ABcJv3jmSJ for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 06:38:54 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A119F124D37 for <tls@ietf.org>; Mon, 13 Nov 2017 06:38:54 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4D2D1642; Mon, 13 Nov 2017 14:38:54 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E947480621; Mon, 13 Nov 2017 14:38:53 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Mon, 13 Nov 2017 15:38:46 +0100
Message-ID: <1553712.MIZnC4Bnhv@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBPczGOafQk-hokrxALWUwWAaegDoK_Ed+wcvxx9Jor5vw@mail.gmail.com>
References: <A6C599ED-3F3D-462F-9B39-1FEF6A0B549B@apple.com> <3025542.QI1GADQRnG@pintsize.usersys.redhat.com> <CABcZeBPczGOafQk-hokrxALWUwWAaegDoK_Ed+wcvxx9Jor5vw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1594484.yiQ46WnH02"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 13 Nov 2017 14:38:54 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XYjrDmD6dcAYn0-fDEhYVysNBgY>
Subject: Re: [TLS] close_notify and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 14:38:56 -0000
On Monday, 13 November 2017 13:25:07 CET Eric Rescorla wrote: > On Mon, Nov 13, 2017 at 11:37 AM, Hubert Kario <hkario@redhat.com> wrote: > > On Saturday, 11 November 2017 10:21:11 CET David Schinazi wrote: > > > Hello all, > > > > > > Currently TLS 1.3 specifies close_notify in the same way that TLS 1.2 > > > > did. > > > > > I believe that has issues and this might be the right time to fix them. > > > The purpose of close_notify is to protect against data truncation > > > > attacks, > > > > > each side is required to send close_notify before closing the write side > > > > of > > > > > the transport connection so the other side knows that the data was not > > > truncated. As such, close_notify only needs half-close semantics to > > > > prevent > > > > > truncation. > > > > > > However, the specification contains the following text: > > > << Each party MUST send a “close_notify” alert before closing the write > > > > side > > > > > of the connection, unless some other fatal alert has been transmitted. > > > > The > > > > > other party MUST respond with a “close_notify” alert of its own and > > > close > > > down the connection immediately, discarding any pending writes. >> > > > > > > This means that an application-layer client can't send a query then > > > close > > > their write transport when they know that they're done, because the > > > > server > > > > > would terminate the TLS session before sending the reply. On top of > > > this, > > > when the server receives the close_notify, it may have already sent part > > > > of > > > > > the reply (or wrote it to the socket send buffer) so the responding > > > close_notify would in effect be inflicting a truncation attack on the > > > client. > > > > > > This doesn't make much difference for HTTP because clients already > > > don't close their write transport after sending a reply, however having > > > > the > > > > > option do do this could allow innovation in new protocols that can > > > define > > > the semantics of when they use close_notify. An example is DNS PUSH: > > > https://tools.ietf.org/html/draft-ietf-dnssd-push > > > <https://tools.ietf.org/html/draft-ietf-dnssd-push> > > > > > > A proposal to solve this problem would be to give close_notify > > > half-close > > > semantics: we keep the requirements that a close_notify be sent before > > > closing the transport, and that any data received after a close_notify > > > is > > > ignored, but we simply remove the requirement to immediately reply > > > with a close_notify. This has the advantage that current implementations > > > are already compliant but future ones can leverage this improvement. > > > > > > What do you think? Is this worth discussing on Thursday? > > > > what about alerts? > > > > > > if you half-closed the connection for write and then received key-update, > > I assume you mean with update_requested set. in any case, you do nothing: > > If the request_update field is set to "update_requested" then the receiver > MUST > send a KeyUpdate of its own with request_update set to > "update_not_requested" prior > to sending its next application data record. how "MUST send a KeyUpdate of its own" is "you do nothing"? Either you "MUST" act on received control messages or you do not. If not, then the handling of errors by closing the read side (and NOT sending fatal alerts) should be specified. Sending bad_record_mac while not replying to KeyUpdate seems very ugly to me; if the rest of the document is not updated in PR#1092. > > or > > message with an invalid tag, how are you supposed to react to it? > > I think it would be fine to either silently tear down the connection or to > send an alert. sending alerts after close_notify goes against the semantics of TCP half- close. If the intention is to support TCP half-close-like mechanism in TLS, we need to document when and where that abstraction is broken. In particular - that sending close_notify shouldn't be followed by closing the write side of the connection (be it TCP or Unix socket). Only that application_data packets are disallowed after close_notify. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Martin Thomson
- Re: [TLS] close_notify and TLS 1.3 David Benjamin
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 Martin Thomson
- Re: [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Ilari Liusvaara
- Re: [TLS] close_notify and TLS 1.3 Hubert Kario
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 David Benjamin
- Re: [TLS] close_notify and TLS 1.3 Hubert Kario
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla