Re: [TLS] 1rtt thoughts
Michael StJohns <msj@nthpermutation.com> Mon, 14 July 2014 20:06 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2530C1A8BB2 for <tls@ietfa.amsl.com>; Mon, 14 Jul 2014 13:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XU46-K1X8bXI for <tls@ietfa.amsl.com>; Mon, 14 Jul 2014 13:06:39 -0700 (PDT)
Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5B971ABB90 for <tls@ietf.org>; Mon, 14 Jul 2014 13:06:38 -0700 (PDT)
Received: by mail-qc0-f182.google.com with SMTP id r5so3203059qcx.41 for <tls@ietf.org>; Mon, 14 Jul 2014 13:06:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=abbn7CxL/PbfzzH4egOk2nihFJZV1Wz4JWssEmtDE9w=; b=EzRoRjUVGY5oEsSjb2LzUZybM/bAtp7ra9H9GKsHc+N5aEgPkBE8lQk7t1mT5HNWaD mNnpCiFbZftb2aoZy4jMWHmrf67cEmCvuj89WgN1f1WaThjkimf1soBd4O7OyNODHsDx N6T7aUFGkEsHaSLF8QdYtcFYfV3PUxfy/KBtXUaDKYOPbaoh02OTG+hY96GlTjjkBFJ5 IP0RFSX/CwPtRwOWUlZpyRUEgfG6sc7z/xyWYD49iCJbHXTpxDyGv8qvh84tqqpWiDbz nZETegGvmQShyMvcH/y7IKZSjunIrLRv/hIbdqgIWNj8JBwIWd1fWYbcmBakgr10KN8i oncA==
X-Gm-Message-State: ALoCoQkxMf7ci/a+vRE77dYU4jhb/QEEr2CUYR2Ux5ryquX364llAtIt+l7snldiBz42GXQg6rrH
X-Received: by 10.224.49.71 with SMTP id u7mr25066137qaf.58.1405368398012; Mon, 14 Jul 2014 13:06:38 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:390:d81:350c:1e85:a7c? ([2601:a:2a00:390:d81:350c:1e85:a7c]) by mx.google.com with ESMTPSA id r10sm22011294qar.40.2014.07.14.13.06.37 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 14 Jul 2014 13:06:37 -0700 (PDT)
Message-ID: <53C4385A.7030007@nthpermutation.com>
Date: Mon, 14 Jul 2014 16:06:50 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, Adam Langley <agl@imperialviolet.org>
References: <53C41080.9050204@nthpermutation.com> <CAMfhd9VjAjdgkrYY-YXyqtgZ95gK=qHMgkv3Sv2uou7HLT2eyg@mail.gmail.com> <CABcZeBO0OcS6LCuLBN-qgo_M2jNr4EwE65tN4fmJ93qTuJyDFw@mail.gmail.com>
In-Reply-To: <CABcZeBO0OcS6LCuLBN-qgo_M2jNr4EwE65tN4fmJ93qTuJyDFw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040306000404070301000007"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/enaY3MpFnyt_-QwEdv7jQtiF880
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 1rtt thoughts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 20:06:41 -0000
On 7/14/2014 1:49 PM, Eric Rescorla wrote: > > > > On Mon, Jul 14, 2014 at 10:27 AM, Adam Langley <agl@imperialviolet.org > <mailto:agl@imperialviolet.org>> wrote: > > On Mon, Jul 14, 2014 at 10:16 AM, Michael StJohns > <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote: > > A > > TLS1.2 server receiving things in this order discards the > ClientKeyExchange > > with an out of sequence error, and then starts the handshake > normally with > > the receipt of the ClientHello. > > I've never encountered a TLS 1.2 implementation that will discard an > unexpected handshake message like that as opposed to sending a fatal > alert (maybe) and closing the connection. > > > Indeed, it's required by TLS. Umm... Part of the problem I have at times in discussions about TLS is the confusion between what happens as part of the transport connection and what happens as part of the TLS connection. I think of TLS as a record connection over a bearer transport service. They interact, but not strongly, and usually not without intervention from the client or server application. The TLS thing (server, message processor, etc) attached to the server side of the transport connection snarfs up individual TLS records one by one and processes them according to its current state. While you're both correct that TLS requires the "connection" to be closed in the event of a fatal error (and here I'm referring to 7.2.2 of RFC5246), the context of the word "connection" in that section doesn't appear to be same as closing the "transport" (see just above that where the two different terms are used). It appears to only refer to closing the current TLS connection. Nothing in section 7.2.2 suggests either the requirement to close the transport, nor the requirement to discard pending data in the transport connection. I'm not arguing that implementations don't do exactly that though - I don't actually know. if you're arguing that the standard says to close the transport and discard the pending TLS records, can you point me at that section? I also can't find anything that says that a new connection can't be opened on the same transport connection after a fatal close. So I would suggest that even with 7.2.2 you get this as an error case between a 1rtt TLS1.3 client and a 1.2 server: Client Server ClientKeyExchange -----> ClientHello ----> [Server notices data waiting on the transport Server begins a connection state Server receives and processes unexpected ClientKeyExchange Server sends a fatal alert and discards the connection state] <--------------- Error Alert (unexpected_message) (plus close_notify??) [Client receives the error alert checks for type and discards it as expected] [Server notices data waiting on the transport Server begins a connection state Server Receives and processes ClientHello Server sends its part of a TLS1.2 handshake] <--------------- ServerHello, ServerKeyExchange etc [Client receives the Server Side messages and processes them... Client resends the ClientKeyExchange that was ignored above] ClientKeyExchange ------> etc ---> ............................. Continue through the normal connection process. From the server's side this looks like two different connections. From the client side, it's just negotiating to the right suite. Mike > > -Ekr > > We could refine TLS 1.2 processing, of course, but if you were > expecting that to be backwards compatible with existing code then I > fear it won't work. > > > > > Cheers > > AGL > > -- > Adam Langley agl@imperialviolet.org > <mailto:agl@imperialviolet.org> https://www.imperialviolet.org > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] 1rtt thoughts Michael StJohns
- Re: [TLS] 1rtt thoughts Adam Langley
- Re: [TLS] 1rtt thoughts Eric Rescorla
- Re: [TLS] 1rtt thoughts Michael StJohns
- Re: [TLS] 1rtt thoughts Eric Rescorla
- Re: [TLS] 1rtt thoughts Daniel Kahn Gillmor
- Re: [TLS] 1rtt thoughts Michael StJohns
- Re: [TLS] 1rtt thoughts James Cloos