Re: [TLS] Expanded alert codes
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 21 May 2018 12:09 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0990126E64 for <tls@ietfa.amsl.com>; Mon, 21 May 2018 05:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPThhLlJpE2d for <tls@ietfa.amsl.com>; Mon, 21 May 2018 05:09:33 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DBFE126E01 for <tls@ietf.org>; Mon, 21 May 2018 05:09:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1526904572; x=1558440572; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=sa5f5tJCFhDCC7kK529Xvucs4SGimv8Tp6j1r6TDePA=; b=1maVYZkAtyWbk7FJF1UkR/PJ9uXcPkSinVaOx/23mw3WamfXN8+OXwjh 5XCF4NxdVhHR7Y1SuAZj7ud9EdaNArOkzfGBWF5ITsSVEx9lpclj2bQYR 4NgZFo/1MVtfwXkQglTrDgPmG5q1ChY3CQRsyb0x640aTtr2CIHa8QGsZ MLoUDBlXUf6UdxYP0SC8MAhaZTCYTsDs2zDZ6hiexjCKU/P6vN4oTEt47 TNwEl4jn25Mg2St6czbQOoASSjNBiuHuDNS4Xx5FjwPA4W9kNT87UZ0+P M1Zb1tacQHiE72QG4XvQfwaT9owOJbSByOwslRt9W2+OtA+IEJ7eNVCSS w==;
X-IronPort-AV: E=Sophos;i="5.49,426,1520852400"; d="scan'208";a="12301046"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 22 May 2018 00:09:29 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.23) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 22 May 2018 00:09:29 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::9f5:baf3:43e7:a6e6]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::9f5:baf3:43e7:a6e6%14]) with mapi id 15.00.1263.000; Tue, 22 May 2018 00:09:28 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Eric Rescorla <ekr@rtfm.com>
CC: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Bill Frantz <frantz@pwpconsult.com>, Steve Fenter <steven.fenter58@gmail.com>, "Dale R. Worley" <worley@ariadne.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: Expanded alert codes
Thread-Index: AQHT8PxOiBfXisHgz0GQ8m34NZHo8g==
Date: Mon, 21 May 2018 12:09:28 +0000
Message-ID: <1526904555196.87951@cs.auckland.ac.nz>
References: <CABcZeBNB50jY1odzgVZVKqn8F7TCj1b+A_95yG6f=Nde0KVv+g@mail.gmail.com>, <1522560535687.32559@cs.auckland.ac.nz>
In-Reply-To: <1522560535687.32559@cs.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/glO_S9hoELnLh8jWxRvosAdtYIY>
Subject: Re: [TLS] Expanded alert codes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 May 2018 12:09:35 -0000
Reviving this discussion, if I write up a draft for this what's going to happen to it? Will it get published, or shouted down? The reason I'm asking is that I've just spent the past three days debugging a TLS issue that's pretty much a poster child for why extended alerts are needed, it was something that would have been resolved in a single handshake exchange with extended alerts, but took three days to sort out without them. The sequence was as follows: Client sends standard client hello. Server responds with handshake failed alert. The same client has been running for years, and connects fine to any number of servers, and openssl and some web browsers connect fine to the server. The only message exchanged was the hello, so there's zero security issues in providing extended alerts. Since some people have argued that extended alerts aren't necessary or useful, I'll wait awhile for them to diagnose what was wrong using the information above, which was all that was available. Peter.
- [TLS] Expanded alert codes. [Was Re: Genart last … Eric Rescorla
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Peter Gutmann
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Ion Larranaga Azcue
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Peter Gutmann
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Ion Larranaga Azcue
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Ion Larranaga Azcue
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Eric Rescorla
- Re: [TLS] Expanded alert codes. [Was Re: Genart l… Dale R. Worley
- Re: [TLS] Expanded alert codes Peter Gutmann
- Re: [TLS] Expanded alert codes Ion Larranaga Azcue
- Re: [TLS] Expanded alert codes Peter Gutmann
- Re: [TLS] Expanded alert codes Hubert Kario
- Re: [TLS] Expanded alert codes Eric Rescorla