IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for

Marsh Ray <marsh@extendedsubset.com> Mon, 25 October 2010 22:26 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 374473A6826 for <tls@core3.amsl.com>; Mon, 25 Oct 2010 15:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[AWL=0.209, BAYES_00=-2.599, J_CHICKENPOX_61=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osDXtipUNuI3 for <tls@core3.amsl.com>; Mon, 25 Oct 2010 15:26:07 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 1C1413A677C for <tls@ietf.org>; Mon, 25 Oct 2010 15:26:07 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PAVWC-000ERk-NB; Mon, 25 Oct 2010 22:27:52 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D614E6030; Mon, 25 Oct 2010 22:27:50 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+8Nhp0Pwma37+KTle8QXIb3JIVWoAwDOc=
Message-ID: <4CC60465.8090207@extendedsubset.com>
Date: Mon, 25 Oct 2010 17:27:49 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.14) Gecko/20101006 Thunderbird/3.0.9
MIME-Version: 1.0
To: mrex@sap.com
References: <201010252114.o9PLE8ka017930@fs4113.wdf.sap.corp>
In-Reply-To: <201010252114.o9PLE8ka017930@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 22:26:08 -0000

On 10/25/2010 04:14 PM, Martin Rex wrote:
> Martin Rex wrote:
>>
>> 2. SSLv2 deficiencies: "Sessions can be easily terminated"
>>
>>      o Sessions can be easily terminated.  A man-in-the-middle can easily
>>       insert a TCP FIN to close the session and the peer is unable to
>>       determine whether or not it was a legitimate end of the session.
>>
>>     I think this exaggerates the usefulness of the closy_notify(0)
>>     warning level alert as used in practice.

I disagree. It's simply stating the fact that SSLv2 cannot differentiate 
between a TCP level termination and a negotiated shutdown between the 
authenticated peers.

TLS can allows each peer to learn that the remote is finished sending 
data in an authenticated way. Though as you point out, TLS does not 
allow a peer to learn that the remote received the message, or in the 
case of a dropped connection to distinguish an attack from ordinary 
packet loss.

>>  By using an application
>>     level framing protocol to mark boundaries of data, it is fairly
>>     easy for application callers to compensate for this "lack" of SSLv2.

Yeah a lot of things easy in retrospect. :-)

>>     Many applications that use a framing protocol look only at their
>>     own framing rather than waiting for the close_notify alert exchange
>>     to _complete_.
>
> The semantics of the close_notify(0) Alert in TLSv1.2 (mostly unchanged
> from TLSv1.0).  Quoting from
>
> http://tools.ietf.org/html/rfc5246#section-7.2.1
>
>     Unless some other fatal alert has been transmitted, each party is
>     required to send a close_notify alert before closing the write side
>     of the connection.  The other party MUST respond with a close_notify
>     alert of its own and close down the connection immediately,
>     discarding any pending writes.  It is not required for the initiator
>     of the close to wait for the responding close_notify alert before
>     closing the read side of the connection.

Sounds reasonable to me.

If you make it too burdensome, application developers will simply drop 
the connection. As it stands, there are very few applications that can 
cleanly exit their process if there are network connections hanging open.

> When pages are reloaded/refreshed or when users navigate before a
> web pages has completed loading all elements, it happens regularly
> that connections get terminated prematurely.

Well that sucks.

> In some situations the TLS-level close-notify might suggest a
> different behaviour than the common and likely app-level decision.
>
> What should a server do when processing an upload-request (HTTPS PUT),
> sends back a 200/201 to the Browser.  Does (or should) the server wait
> for the clients TLS close-notify and should the server rollback the
> PUT if the clients close-notify is not sent?

Good question. HTTP just wasn't designed for robust transactions, and 
HTTPS certainly wasn't designed to add them.

> If a server actually
> did rollback in absence of the client'c TLS close-notify, that would
> actually open(!) a vulnerability, i.e. an attacker could remove the
> clients TLS close-notify from the network causing the server to think
> it should rollback while the client believes the transaction was
> successful.

Yeah, good point. HTTP, even over TLS, is no substitute for a real 
two-phase commit.

Even 2-PC isn't perfect: Say the close-notify was to be replied with a 
close-ack. Mallory could simply drop one of those and the peers may 
still have a different picture about what happened.

So for every N-PC, there is an (N + 1)-PC which allows each side to be a 
little more epistemologically satisfied. Probably this is something to 
be decided at the application layer. Whether or not it was right 
decision for HTTP to be designed for N <= 1 is seems outside the scope 
of [TLS].

>  A "secure communication closure protocol" would need three
> legs, but that is clearly prohibited by the TLS spec for the
> close_notify alert.

TLS provides one authenticated shutdown message in each dirction, which 
is one more than the zero provided by SSLv2 or HTTP. Clearly there are 
some non-idempotent-transaction-oriented web/SOAP apps that would 
benefit from more. But at what layer should they be implemented?

For TLS, we could propose a Hello extension pair of to negotiate a 
higher N-PC:

For example:

         client                           server

     "Let's exchange 3 messages for shutdown in each direction"
     Hello ++ CloseNotifyN propose 6

                                   Hello ++ CloseNotifyN use 3
                                  "Yes, let's exchange 3"

          <========== app data =========>

Client is done sending app data:
     close_notify(-2)  ---->
                       <----      close_ack(-1)
     close_notify(0)   ---->


Server is done sending app data. These messages may be intermingled with 
those above.
                       <----      close_notify(-2)
     close_ack(-1)     ---->
                       <----      close_notify(0)

--------------------------

But it might make more sense to handle it at a higher layer. For HTTP, 
it might end up looking similar to HTTP challenge-response auth, which 
uses multiple requests over the same connection which really just form a 
single logical request.

- Marsh

v2.23.0 | Report a Bug | By Email