Re: [TLS] [Technical Errata Reported] RFC8446 (7620)
Ben Smyth <research@bensmyth.com> Mon, 28 August 2023 13:38 UTC
Return-Path: <research@bensmyth.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3980C14CE55 for <tls@ietfa.amsl.com>; Mon, 28 Aug 2023 06:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bensmyth.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1lJBQYtA8jc for <tls@ietfa.amsl.com>; Mon, 28 Aug 2023 06:38:52 -0700 (PDT)
Received: from 5.smtp.34sp.com (5.smtp.34sp.com [46.183.8.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BCFC151553 for <tls@ietf.org>; Mon, 28 Aug 2023 06:38:49 -0700 (PDT)
Received: from smtpauth3.mailarray.34sp.com (lvs5.34sp.com [46.183.13.73]) by 5.smtp.34sp.com (Postfix) with ESMTPS id 1CF262D1C0B for <tls@ietf.org>; Mon, 28 Aug 2023 14:38:43 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bensmyth.com; s=dkim; t=1693229923; bh=HtVd9pIu1qRkOdr3aQRjGTEHKtN/XfKUiEGg7/IvbVg=; h=References:In-Reply-To:Reply-To:From:Date:Subject:To:Cc; b=TBcdM7c0FACD6K+lcI1SAtfYorOJhqvcLI5wY/CJUUsltQlJzfXCV0dN8V3pks9d8 CKObxhD5s/WKph8hGpG9Efpb2Wvb/QZWKijagDHlQiszJys+QNuOG7DflZez85saFT aTfq/LJq2SrOgqveroCYEX+Hb5xExi2BvAM4gsYo=
Received: from mail-pj1-f48.google.com ([209.85.216.48]:44476) by smtpauth3.mailarray.34sp.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <research@bensmyth.com>) id 1qacS2-0006UO-W4 for tls@ietf.org; Mon, 28 Aug 2023 14:38:43 +0100
Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-26d5970cd28so1678590a91.2 for <tls@ietf.org>; Mon, 28 Aug 2023 06:38:42 -0700 (PDT)
X-Gm-Message-State: AOJu0YzoM9dOA0Y4GaJRtiq5mQrH0h1Wmi04JadOclHF715bUyU9qvoW jQWhBSdE5eWoBP2e3JxuMpCkD97zGMXNZerSeYY=
X-Google-Smtp-Source: AGHT+IGua3h6m6mG2pUemlkW9g2+gRCIglOhsK6YNGWrplf1Xbsq95Htiir0K8UEPm3O7tSq9t40wxCHwGHYidztFfo=
X-Received: by 2002:a17:90a:ba81:b0:26b:6a2f:7d96 with SMTP id t1-20020a17090aba8100b0026b6a2f7d96mr18376984pjr.18.1693229921062; Mon, 28 Aug 2023 06:38:41 -0700 (PDT)
MIME-Version: 1.0
References: <20230828110218.37E627FDEA@rfcpa.amsl.com> <CABcZeBPHevj+4oYOyrbZC1FPmEtq961h8zThgAR07Bw8GRyC0g@mail.gmail.com>
In-Reply-To: <CABcZeBPHevj+4oYOyrbZC1FPmEtq961h8zThgAR07Bw8GRyC0g@mail.gmail.com>
Reply-To: research@bensmyth.com
From: Ben Smyth <research@bensmyth.com>
Date: Mon, 28 Aug 2023 15:38:30 +0200
X-Gmail-Original-Message-ID: <CA+_8xu0skGn-0BkK_oA+2=NSrBEp_dLFV3DJn8Nsv8WeRoXdZg@mail.gmail.com>
Message-ID: <CA+_8xu0skGn-0BkK_oA+2=NSrBEp_dLFV3DJn8Nsv8WeRoXdZg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, rdd@cert.org, paul.wouters@aiven.io, caw@heapingbits.net, Joseph Salowey <joe@salowey.net>, sean+ietf@sn3rd.com, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f7d51f0603fbcfc8"
X-Authenticated-As: f594447444afb5e8e542d6cd3ee989c5ad593da02deb40a8d61181d2a2c508bd
X-OriginalSMTPIP: 209.85.216.48
X-34spcom-MailScanner-Information: Please contact the ISP for more information
X-34spcom-MailScanner-ID: 1CF262D1C0B.A7CF0
X-34spcom-MailScanner: Found to be clean
X-34spcom-MailScanner-SpamCheck: not spam, SpamAssassin (score=-0.1, required 6.5, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, SPF_PASS -0.00)
X-34spcom-MailScanner-From: research@bensmyth.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/avlLibOO9w_nuclAyNGWIMIF750>
Subject: Re: [TLS] [Technical Errata Reported] RFC8446 (7620)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 13:38:58 -0000
Yes, we agree. I anticipate necessity to reduce the strength my wording (or to ignore). I raise this errata only to discuss specification-compliant implementations being vulnerable to truncation attack; it'd surely be better to have a SHOULD or SHOULD NOT. On Mon, 28 Aug 2023, 14:43 Eric Rescorla, <ekr@rtfm.com> wrote: > Hi Ben, > > Before addressing the text, let's make sure we are on the same page about > the situation. > > As you probably know, there are quite a few situations in which endpoints > close the connection before > receiving a close_notify, for instance, when they receive an end of data > message in the application > protocol or when they time out. The former case is generally safe, the > latter is not, but extremely > common, in fact perhaps the dominant case. Do we agree on that? > > -Ekr > > > On Mon, Aug 28, 2023 at 4:02 AM RFC Errata System < > rfc-editor@rfc-editor.org> wrote: > >> The following errata report has been submitted for RFC8446, >> "The Transport Layer Security (TLS) Protocol Version 1.3". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7620 >> >> -------------------------------------- >> Type: Technical >> Reported by: Ben Smyth <research@bensmyth.com> >> >> Section: 6.1 >> >> Original Text >> ------------- >> Each party MUST send a "close_notify" alert before closing its write >> side of the connection, unless it has already sent some error alert. >> This does not have any effect on its read side of the connection. >> Note that this is a change from versions of TLS prior to TLS 1.3 in >> which implementations were required to react to a "close_notify" by >> discarding pending writes and sending an immediate "close_notify" >> alert of their own. That previous requirement could cause truncation >> in the read side. Both parties need not wait to receive a >> "close_notify" alert before closing their read side of the >> connection, though doing so would introduce the possibility of >> truncation. >> >> Corrected Text >> -------------- >> Each party MUST send a "close_notify" alert before closing its write >> side of the connection, unless it has already sent some error alert. >> This SHOULD NOT have any effect on the read side of the sender's >> connection; >> parties SHOULD receive a "close_notify" alert before closing the read >> side of their connection. >> Note that this is a change from versions of TLS prior to TLS 1.3 in >> which receivers were required to react to a "close_notify" by >> discarding pending writes and sending an immediate "close_notify" >> alert of their own. That previous requirement could cause truncation >> in the read side. Both parties need not wait to receive a >> "close_notify" alert before closing their read side of the >> connection, though doing so would introduce the possibility of >> truncation. >> >> Notes >> ----- >> As-is there's a specification-level vulnerability: >> Specification-compliant implementations may be vulnerable to truncation >> attacks. >> >> I suggest using SHOULD NOT & SHOULD for better signposting and to avoid >> specification-level vulnerability. >> >> I also suggest minor tweaks for readability. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC8446 (draft-ietf-tls-tls13-28) >> -------------------------------------- >> Title : The Transport Layer Security (TLS) Protocol Version >> 1.3 >> Publication Date : August 2018 >> Author(s) : E. Rescorla >> Category : PROPOSED STANDARD >> Source : Transport Layer Security >> Area : Security >> Stream : IETF >> Verifying Party : IESG >> >
- [TLS] [Technical Errata Reported] RFC8446 (7620) RFC Errata System
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Viktor Dukhovni
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Christian Huitema
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Viktor Dukhovni
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Christian Huitema
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (76… Ben Smyth