Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18

Benjamin Kaduk <> Thu, 10 November 2016 17:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C556812943B for <>; Thu, 10 Nov 2016 09:02:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rySS3Kgkaopa for <>; Thu, 10 Nov 2016 09:02:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E42021293E8 for <>; Thu, 10 Nov 2016 09:02:23 -0800 (PST)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id C2361433450; Thu, 10 Nov 2016 17:02:22 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id AB2EE433402; Thu, 10 Nov 2016 17:02:22 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a1; t=1478797342; bh=EAB8pIMiYP9Tju8QipbdMUD1jQg6eBJIMqctteYSgFM=; l=3061; h=To:References:Cc:From:Date:In-Reply-To:From; b=c/qekjfnJHI/9IsfRnVJvbZpHYCLzvwCwSoGw8XEwqnjfXpw9n9PKJkolg/3qYH80 eg0joEVoct127WFSNoP/OyfD3yBr8goiLSrbaIiEoorv6U512HJ8ZiKHDQEt+oxgQV l0QtM9Sf/eEzssJQjfKIs4lU5JlWL5kefv/PsdTE=
Received: from [] ( []) by (Postfix) with ESMTP id 603171FC90; Thu, 10 Nov 2016 17:02:22 +0000 (GMT)
To:, Eric Rescorla <>
References: <>
From: Benjamin Kaduk <>
Message-ID: <>
Date: Thu, 10 Nov 2016 11:02:22 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------9FDCEA331F140DA0B1924363"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Nov 2016 17:02:26 -0000

On 11/09/2016 01:42 PM, Martin Rex wrote:
> Whether or not the calling App wants to shutdown a communication
> at different times in both directions depends on the existing semantics
> of that application (which has just added TLS protection around its
> communication).  Reading and processing a close_notify in the TLS stack
> (e.g. OpenSSL) will tear down *BOTH* directions immediately, and preclude
> any further of sending of responses by the application, so the middleware
> really will want to hold of processing of close_notify alerts unless
> _explicitly_ asked to read further AppData by the application.

I don't understand.  As Watson notes, TLS does not have a half-closed state.
So, if the application wants to continue receiving data, the application
protocol should not [inform the TLS stack to] generate a close_notify
until the entire application-layer protocol is done, in both
directions.  Maybe that would work on plain TCP (no TLS), but I just
don't see how this should be expected to always work with TCP+TLS
between endpoints using different implementations.