IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for

Martin Rex <mrex@sap.com> Mon, 25 October 2010 21:12 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B35D3A68D3 for <tls@core3.amsl.com>; Mon, 25 Oct 2010 14:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.603
X-Spam-Level:
X-Spam-Status: No, score=-9.603 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJll0g2fj7iR for <tls@core3.amsl.com>; Mon, 25 Oct 2010 14:12:53 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id A39323A684C for <tls@ietf.org>; Mon, 25 Oct 2010 14:12:52 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o9PLE9BW001115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 25 Oct 2010 23:14:14 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201010252114.o9PLE8ka017930@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Mon, 25 Oct 2010 23:14:08 +0200
In-Reply-To: <201010251952.o9PJq3pa012929@fs4113.wdf.sap.corp> from "Martin Rex" at Oct 25, 10 09:52:03 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 21:12:55 -0000

Martin Rex wrote:
> 
> 2. SSLv2 deficiencies: "Sessions can be easily terminated"
> 
>     o Sessions can be easily terminated.  A man-in-the-middle can easily
>      insert a TCP FIN to close the session and the peer is unable to
>      determine whether or not it was a legitimate end of the session.
> 
>    I think this exaggerates the usefulness of the closy_notify(0)
>    warning level alert as used in practice.  By using an application
>    level framing protocol to mark boundaries of data, it is fairly
>    easy for application callers to compensate for this "lack" of SSLv2.
>    Many applications that use a framing protocol look only at their
>    own framing rather than waiting for the close_notify alert exchange
>    to _complete_.

The semantics of the close_notify(0) Alert in TLSv1.2 (mostly unchanged
from TLSv1.0).  Quoting from

http://tools.ietf.org/html/rfc5246#section-7.2.1

   Unless some other fatal alert has been transmitted, each party is
   required to send a close_notify alert before closing the write side
   of the connection.  The other party MUST respond with a close_notify
   alert of its own and close down the connection immediately,
   discarding any pending writes.  It is not required for the initiator
   of the close to wait for the responding close_notify alert before
   closing the read side of the connection.

When pages are reloaded/refreshed or when users navigate before a
web pages has completed loading all elements, it happens regularly
that connections get terminated prematurely.

In some situations the TLS-level close-notify might suggest a
different behaviour than the common and likely app-level decision.

What should a server do when processing an upload-request (HTTPS PUT),
sends back a 200/201 to the Browser.  Does (or should) the server wait
for the clients TLS close-notify and should the server rollback the
PUT if the clients close-notify is not sent?  If a server actually
did rollback in absence of the client'c TLS close-notify, that would
actually open(!) a vulnerability, i.e. an attacker could remove the
clients TLS close-notify from the network causing the server to think
it should rollback while the client believes the transaction was
successful.  A "secure communication closure protocol" would need three
legs, but that is clearly prohibited by the TLS spec for the 
close_notify alert.


-Martin

v2.23.0 | Report a Bug | By Email