IETF Logo Mail Archive

Re: [TLS] Alert after sending ServerHello

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 26 April 2017 06:19 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AD312F251 for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 23:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yDe-5ks17PG for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 23:19:54 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8A912F24E for <tls@ietf.org>; Tue, 25 Apr 2017 23:19:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id A82EC40783; Wed, 26 Apr 2017 09:19:51 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id iJsJ5ylNT7UX; Wed, 26 Apr 2017 09:19:51 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 6F36C21C; Wed, 26 Apr 2017 09:19:51 +0300 (EEST)
Date: Wed, 26 Apr 2017 09:19:49 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Roelof Du Toit <Roelof_Dutoit@symantec.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170426061949.GC28395@LK-Perkele-V2.elisa-laajakaista.fi>
References: <EAF9D3D6-A87D-450D-BCFB-36F8CDC8B14F@symantec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <EAF9D3D6-A87D-450D-BCFB-36F8CDC8B14F@symantec.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e7f9G39bOoNvv-5db2uawbnBcVM>
Subject: Re: [TLS] Alert after sending ServerHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 06:19:57 -0000

On Wed, Apr 26, 2017 at 03:01:40AM +0000, Roelof Du Toit wrote:
> During interop testing with an open-source stack I ran into the following:
> CH ---->
> <---- SH,{EE,Cert,CV,Fin}
> alert ---->
> 
> The alert was due to a decode error on CV, and the stack in question
> sent the alert in a plaintext record.
> 
> The current draft specification has the following text in section 6:
> "Like other messages, alert messages are encrypted as specified by
> the current connection state." and the following in section 5.1:
> "Once record protection has started, TLSPlaintext records are
> protected"
> 
> I expected the alert above to be sent in a ciphertext record, but I
> can also see the client sending plaintext alerts for ServerHello
> decode failures. My conclusion is that the TLS 1.3 record layer on
> the server side should support receiving both ciphertext and
> plaintext records after ServerHello has been sent.

Yes, that's the way the library I'm writing does it: The first
record received after ServerHello is sent can be cleartext alert for
the case where client chokes on ServerHello, or it can be encrypted
record.

It does not support 0-RTT (insufficient understanding of the actual
security properties, need to design API properly).

One can easily tell unencrypted alert and encrypted record from
envelope type (unencrypted alert has 21, encrypted alert or client
returning handshake is 23).
 
> One way for the server to handle the scenario above is to defer
> using client_handshake_traffic_secret until the first app_data
> record is received.   That idea falls flat when the client is
> also sending early data and the server wants to ignore the early
> data using trial decrypt with client_handshake_traffic_secret:

If you ever receive envelope-type-21 record, you know that the
connection has failed. All those are fatal errors.

The difference is really the error (illegal record type vs.
received alert).


-Ilari

v2.23.0 | Report a Bug | By Email