Re: [TLS] Short notes on TLS RFCs ...
Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Fri, 20 June 2014 12:15 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448C21A064E for <tls@ietfa.amsl.com>; Fri, 20 Jun 2014 05:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_56=0.6, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4RC-JLra0r_P for <tls@ietfa.amsl.com>; Fri, 20 Jun 2014 05:15:38 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED6EF1A0401 for <tls@ietf.org>; Fri, 20 Jun 2014 05:15:37 -0700 (PDT)
Received: from [192.168.1.200] (p508F221E.dip0.t-ipconnect.de [80.143.34.30]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id DDF951C104938; Fri, 20 Jun 2014 14:15:34 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <CAAF6GDfWGkZkYxvCHA+fScLzFse8bafDDd91Cgg_i-_UTu-Q0w@mail.gmail.com>
Date: Fri, 20 Jun 2014 14:15:34 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <5772B9EF-EDD0-4B3E-A85E-43CCEA199D01@lurchi.franken.de>
References: <CAAF6GDfWGkZkYxvCHA+fScLzFse8bafDDd91Cgg_i-_UTu-Q0w@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/meuakOI0ui3LukpyCmg-7YsRRiM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Short notes on TLS RFCs ...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2014 12:15:40 -0000
On 20 Jun 2014, at 05:32, Colm MacCárthaigh <colm@allcosts.net> wrote: > I've recently spent some time reading various TLS RFCs in detail. > During the process I found a few points of confusion, or inconsistency > with what I could find in general implementations. As I'm new to this, > I may be duplicating reports, and I may also be in error. Apologies if > so, but it seemed worth sending a note all the same. > > 1. I don't think RFC5246 actually specifies how DH parameters should > be signed. In section 7.4.3 signed_params is defined as "a signature > over the server's key exchange parameters" and appendix F (which is > non-normative?) described that the parameters are hashed with the > hello.random values, but does not say how. > > RFC4346 does contain a description; but it was not clear to me what > should be done in TLS1.2 without reverse engineering it from existing > implementations. > > Again, my apologies if I've missed it - but I can't find a clear > instruction on how to sign the parameters in the RFC. > > I think a future RFC could benefit from a small repair work here and > I'd be happy to contribute if that's appropriate. > > 2. The handling of alert messages is somewhat ambiguous. I think a > strict reading of the sections on the record layer imply that alert > messages may be fragmented across more than one record, and also that > several alerts (and also maybe a partial alert) may be coelesced into > a single record. Some experiments with implementations show me that > this is inconsistently handled. > > Because alert messages specify the AlertLevel before the alert code, > there is a possibility for ambiguity with the intent of section 7.2. > Suppose that a peer send the first byte of an alert message, and that > that byte is "2". As the recipient, I know that I have a fatal alert. > Should I shut the connection down immediately? Or is the alert message > considered incomplete until the entire message is received? If the > subsequent record, with the second byte of the alert message also > contains other alert messages - what status should I give those? where > a peer chooses to indicate several alerts in one record, should it be > clear that a fatal alert truncates the alert stream? > > Is there a reason to support fragmentation/coalescing for alerts at all? > > 3. The purpose of heartbeat message seems to be a form of path MTU > discovery, but they also seem ill-suited to MTU discovery. In > particular, Heartbeat messages seem to me capable of only discovering > the lowest-MTU supported in both directions of transmission; rather > than the actual MTU of the network paths; which can be (and sometimes > are) asymmetrical. This may seem very esoteric, but as WANs and > transit providers deploy jumbo-frames inconsistently, asymmetrical > MTUs are becoming more common. Though hopefully that day will pass. No, heartbeat messages contain a payload being reflected and a padding being discarded. Therefore you can send your (large) probe packet containing a relatively small payload and a padding to get it to the size you want to test, and just get back a small answer containing the payload (and a small padding). So the padding is there especially for dealing with asymmetric paths. Best regards Michael > > Again, apologies if my notes are duplicative, but figured it was > better to report a dupe than to miss something. > > -- > Colm > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Salz, Rich
- Re: [TLS] Short notes on TLS RFCs ... Michael Tuexen
- Re: [TLS] Short notes on TLS RFCs ... Watson Ladd
- Re: [TLS] Short notes on TLS RFCs ... Michael Tuexen
- Re: [TLS] Short notes on TLS RFCs ... Robert Ransom
- Re: [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Colm MacCárthaigh
- Re: [TLS] Short notes on TLS RFCs ... Eric Rescorla
- Re: [TLS] Short notes on TLS RFCs ... Christian Huitema