Re: [TLS] Sending fatal alerts over TCP
Martin Rex <mrex@sap.com> Wed, 21 December 2011 19:40 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71DB11E80A3 for <tls@ietfa.amsl.com>; Wed, 21 Dec 2011 11:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.559
X-Spam-Level:
X-Spam-Status: No, score=-9.559 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZT8Ung2m4npa for <tls@ietfa.amsl.com>; Wed, 21 Dec 2011 11:40:02 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id B645711E8073 for <tls@ietf.org>; Wed, 21 Dec 2011 11:40:01 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id pBLJdonc011636 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Dec 2011 20:39:55 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201112211939.pBLJdovn015672@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Wed, 21 Dec 2011 20:39:50 +0100
In-Reply-To: <4EF2328A.9060604@extendedsubset.com> from "Marsh Ray" at Dec 21, 11 01:24:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Sending fatal alerts over TCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2011 19:40:03 -0000
Marsh Ray wrote: > > On 12/21/2011 01:13 PM, Martin Rex wrote: > > > > Unless the local application performs a shutdown(), the TCP implementation > > of Y MUST continue to deliver data that was received. > > This seems relevant http://tools.ietf.org/html/rfc793 > > > [when in state:] ESTABLISHED FIN-WAIT-1 FIN-WAIT-2 CLOSE-WAIT > > > > If the RST bit is set then, any outstanding RECEIVEs and SEND > > should receive "reset" responses. All segment queues should be > > flushed. Users should also receive an unsolicited general > > "connection reset" signal. Enter the CLOSED state, delete the > > TCB, and return. > > This part about "all segment queues should be flushed" suggests to me > that received-but-undelivered application data MAY or SHOULD be > discarded. Deleting the TCB altogether certainly sounds final. In case that you're referring to page 70, this text appears in a section "second check the RST bit," and can only be ever reached when it was not fully processed by the previous "first check sequence number" a page before, which says: first check sequence number SYN-RECEIVED STATE ESTABLISHED STATE FIN-WAIT-1 STATE FIN-WAIT-2 STATE CLOSE-WAIT STATE CLOSING STATE LAST-ACK STATE TIME-WAIT STATE Segments are processed in sequence. Initial tests on arrival are used to discard old duplicates, but further processing is done in SEG.SEQ order. If a segment's contents straddle the boundary between old and new, only the new parts should be processed. There are four cases for the acceptability test for an incoming segment: Segment Receive Test Length Window ------- ------- ------------------------------------------- 0 0 SEG.SEQ = RCV.NXT 0 >0 RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND >0 0 not acceptable >0 >0 RCV.NXT =< SEG.SEQ < RCV.NXT+RCV.WND or RCV.NXT =< SEG.SEQ+SEG.LEN-1 < RCV.NXT+RCV.WND If the RCV.WND is zero, no segments will be acceptable, but special allowance should be made to accept valid ACKs, URGs and RSTs. *> If an incoming segment is not acceptable, an acknowledgment *> should be sent in reply (unless the RST bit is set, if so drop *> the segment and return): <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK> After sending the acknowledgment, drop the unacceptable segment and return. -Martin
- [TLS] Sending fatal alerts over TCP Florian Weimer
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Peter Gutmann
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Florian Weimer
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Peter Gutmann
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Paul Hoffman
- Re: [TLS] Sending fatal alerts over TCP Florian Weimer