IETF Logo Mail Archive

Re: [TLS] Warning alert before TLS 1.3 ServerHello

Martin Thomson <martin.thomson@gmail.com> Fri, 11 May 2018 00:15 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2738F12DA1A for <tls@ietfa.amsl.com>; Thu, 10 May 2018 17:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGws4eY8CJX9 for <tls@ietfa.amsl.com>; Thu, 10 May 2018 17:15:01 -0700 (PDT)
Received: from mail-ot0-x234.google.com (mail-ot0-x234.google.com [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CD8512D7E6 for <tls@ietf.org>; Thu, 10 May 2018 17:15:01 -0700 (PDT)
Received: by mail-ot0-x234.google.com with SMTP id g7-v6so4325209otj.11 for <tls@ietf.org>; Thu, 10 May 2018 17:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/vKTYVtnm/4BsgoX15ZpE/ZQZA3cTYWR7llgWa0ce6Y=; b=LN+h+8eG7TR+mk66tdD9Kz+0TQ9GDSviyKsPr/Wk92KBT31DS48ISr47+0nRjTclNj M5v0v2esFsBf/WDltREmb+CyuI1TDZgTDzQa6/I8aaeHnkLtpWzLGjRVWpCYIDTi5oEP fjzGCDeq6r1qfazcHfLGKEZJTGSV62tBxmhB95yDKeiTBCE6kMB9wnV1cG7y+DtmMJjn 8a5dCLJP0DDJTijmrJSLVNSGbfuRxzNK7YAzVb/ENrJhhV4zhgjKGf9TOWP8S8RUNTmS ZKYo551bevD2Q+Urqm2c6/iZGpRedLEB+AnfGGZC/MEmSahIfJvXdMlyfv2+3pS2fpbs Uw5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/vKTYVtnm/4BsgoX15ZpE/ZQZA3cTYWR7llgWa0ce6Y=; b=jyOIuep8um4w0mXoq0V6L838Xxe29nZDMQMxRSenhX9tkSqkiULNJgxrJGHiFaJMuq ARxvrZ9yTmd0BJVHZhP0zBTaR0bnd3OWmYCDm0qVbkQHqX9huxdaG9b6/s0+3dJFtBH9 L1nRfNTEuyuP5VlQvdXzGxmJcGn/YjHg0k7TNwQLPnMKZKNvSU7XV1iABbY1xzGGKf4D JwoBMnhiIqpSykYzfHr7Jql03RYTpqVnR+FYrjcNjcgxxc1oy6RLCi/zPmFJfCEPeojO K+PpFpYfZJJ6MwtQH0bj4iZIB4pp2n/7WcwYDAno2vstGaATf5ugDUqz41eg+/AjXsfV CvnQ==
X-Gm-Message-State: ALKqPweUIBD5Tl7XOIxnO5Hg6N0pPrGpCNps5oDgQ612F5Xoi7JuU2jG E4P7FTcwp7kYLaovIG5dsJyADtQdodoyKcN8Dachig==
X-Google-Smtp-Source: AB8JxZrVoJebtlhXkHH2zrZG+uxEW920vhpCHisHl3vaUG8SsHT38dHqCWKF/i24fSOLtQ+hR/WZ4uWrxDtPIPYZcBQ=
X-Received: by 2002:a9d:3a65:: with SMTP id j92-v6mr2580884otc.352.1525997700740; Thu, 10 May 2018 17:15:00 -0700 (PDT)
MIME-Version: 1.0
References: <EB30106F-F089-4A2B-845E-FF560399DD55@nerd.ninja> <CABcZeBO8_nHpxRZgeeH3wvP7hAYQGwDAu4vcYmjoZTmpOeoXqw@mail.gmail.com> <CABkgnnWMHmTtjdW0cyN9SHRhEGC+D6adKyPNH4K=JmpKeHiRiQ@mail.gmail.com> <D9C0941E-B5B4-42B0-B35E-D6E963D56EB4@dukhovni.org> <CABkgnnUCW35XnvzgP=44EqMj+fm1rCu=6T_iU2JkC4K3XGumjw@mail.gmail.com> <1634a908489.1177ed3d735485.6019683877747033038@nerd.ninja>
In-Reply-To: <1634a908489.1177ed3d735485.6019683877747033038@nerd.ninja>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 11 May 2018 10:14:53 +1000
Message-ID: <CABkgnnX9FeHmT4VPBfkX5eH-Us7T0+FmHSdd03QCy-9FdYYi6g@mail.gmail.com>
To: r@nerd.ninja
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_VWigILtb66ri8_fdFraUWTnn1o>
Subject: Re: [TLS] Warning alert before TLS 1.3 ServerHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 00:15:03 -0000

Yep.  More so in DTLS when the alert might arrive after the client has seen
the ServerHello.
On Fri, May 11, 2018 at 12:59 AM R duToit <r@nerd.ninja> wrote:

> The server sending the alert at warning level while knowing that it is
about to negotiate TLS 1.3 seems to be in violation of the statement that
"All alerts listed in Section 6.2 MUST be sent with AlertLevel=fatal," -
that is probably more of an implementation issue.

> The client's reaction to the warning alert is what is ambiguous.  Some
TLS 1.3 client implementations will ignore the alert, while others will
choke.

> ---- On Thu, 10 May 2018 02:05:18 -0400 Martin Thomson <
martin.thomson@gmail.com> wrote ----

> On Thu, May 10, 2018 at 1:48 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> > I may be misreading the code, but it sure looks like the alert is only
> > sent if the application callback for the server name extension asks
> > OpenSSL to do that. The application can just decline the extension
> > and let the handshake continue with a default certificate... Is
> > the surprise that the alert is sent, or that it is a warning, or
> > something else?

> It's risking a failed connection. Though perhaps not that much more than
> providing the client with a certificate it might not like.

> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email