Re: [TLS] Sending fatal alerts over TCP

Bodo Moeller <bmoeller@acm.org> Wed, 21 December 2011 20:28 UTC

Return-Path: <SRS0=wbl3=7B=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3771F0C62 for <tls@ietfa.amsl.com>; Wed, 21 Dec 2011 12:28:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.917
X-Spam-Level:
X-Spam-Status: No, score=-100.917 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i-0iabpGRwA for <tls@ietfa.amsl.com>; Wed, 21 Dec 2011 12:28:35 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4701F0C61 for <tls@ietf.org>; Wed, 21 Dec 2011 12:28:35 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MaXEr-1ROHH905sX-00Jw5C; Wed, 21 Dec 2011 21:28:34 +0100
Received: by qadb15 with SMTP id b15so4100199qad.10 for <tls@ietf.org>; Wed, 21 Dec 2011 12:28:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.30.194 with SMTP id v2mr10091096qac.53.1324499312956; Wed, 21 Dec 2011 12:28:32 -0800 (PST)
Received: by 10.224.19.196 with HTTP; Wed, 21 Dec 2011 12:28:32 -0800 (PST)
In-Reply-To: <4EF23BB2.600@extendedsubset.com>
References: <201112211939.pBLJdovn015672@fs4113.wdf.sap.corp> <4EF23BB2.600@extendedsubset.com>
Date: Wed, 21 Dec 2011 21:28:32 +0100
Message-ID: <CADMpkcLWduzn1Tn5Lc1SZ1bmuZ7qfeOvq2XVzze62m5oW4N3vQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary=20cf3074d6a40dd57104b4a00711
X-Provags-ID: V02:K0:Bn5WV+zogMssqm2cYPEJd3ZE/KS/eSwOCu2daRWm5Dm 6/LWtVVrdWklXo3JLHLpqy4pgB9MrnYtvmLesz3984W/VNitr1 7ydePYL7XwWO6hQ7Z98dk+JFl8hIS9fRWWDp7YvkH2IxTci32k xgGVzl+R6h5hoXaVR4DCAkCiSbZRuHOjl9OqKTS1pSIu50+jWt +hwlPp/IYupMf6KkaUJU1cUven8+rq9+IKhjh0LxSqekWBItwZ IyEBHXL1Tk7bLBgsqQcFqHTcGHhioDfy/2EYtvtnU/LajZKKwx fzZ9aeob04TfYawrI/sQeNngahn3tvNeG3SS/f02q06QeOyGt7 FCLmc74O0/FzpJ9+lhEbGkJLokKNqJo0v1rOHClCmdKW3DF3Rr p9eWiBQqrgQFuggTjeiJ8LELg7UfbtRuA7nCPOiKyoZoEmUhq8 j8xTN
Subject: Re: [TLS] Sending fatal alerts over TCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2011 20:28:36 -0000

On Wed, Dec 21, 2011 at 9:04 PM, Marsh Ray <marsh@extendedsubset.com> wrote:


> But let's say the RST segment passes the sequence number check.
>
> It seems that this language applies:
>
>  Initial tests on arrival  are used to discard old duplicates,
>>  but further processing is  done in SEG.SEQ order.
>>
>
Note that this only implies that Y's TCP needs to process the segment
containing X's TLS alert before it can process the RST segment. Processing
the segment with the alert merely means queuing it; the TLS layer would
have to "RECEIVE" it from the TCP to do something with it.  If the RST
segment gets processed before the TLS layer has received the TLS alert, the
receiving queue will be flushed, and the alert will be gone.