Re: [TLS] TLS 1.3 and TCP interactions
David Benjamin <davidben@chromium.org> Sat, 30 May 2020 14:59 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE623A0859 for <tls@ietfa.amsl.com>; Sat, 30 May 2020 07:59:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCHw9C0a303z for <tls@ietfa.amsl.com>; Sat, 30 May 2020 07:59:11 -0700 (PDT)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E09793A0858 for <tls@ietf.org>; Sat, 30 May 2020 07:59:10 -0700 (PDT)
Received: by mail-pg1-x52b.google.com with SMTP id s10so1358349pgm.0 for <tls@ietf.org>; Sat, 30 May 2020 07:59:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UoNxcT5+BhNZqUHXlMX9ThKQtRnAcWdQqs0+lzE2qG0=; b=KNwfP3j4mi3+83MC7DdnRvh5/DnMS8I7tuZlcGqEL/0KL3n4hJvsqj4n8AOzqosdVy TbhCExNzHeb+IvoAnMv1KFOarmPrWgySAJ3nhN5s2ao9eAAwec2UkRDJMsa4+gF4PFzy L0UQ9VT/Hu7QkLpLQTXNXtUOr1QGscAvajC1s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UoNxcT5+BhNZqUHXlMX9ThKQtRnAcWdQqs0+lzE2qG0=; b=KGDWHK+LKRFzX5LVvF0UMA2vfPdmiAdN5dP+maF1wthSMy8DM7l70KuxIS7t9VeW4f tHMSUj+cd3bF5FNXxrUNhhQA4r714OYu7ljv4sZEzcIje5E0QcC5JC+JMqdJZk6MynFY OGmAMNwOo9oBAYWaMl2HkMj5mUkAalEXnNm4bI7doIq/iMVIJxBy/0U5LRYVClp1EbEw aKIZgO4iPsRi41CvNyMS/Xxj+VfcnwyX5vJgrwDMUhK5HWa7cELOrEKKsaYEsGdVvdB1 2hdDecN1HNqGO6PAxf9l+wF8yb1k9GuaaIihmx/w5SILNlXkEhHzTryFmaPKhvdGYU58 1Qdw==
X-Gm-Message-State: AOAM531hBHfvJpUnTlgWxh5i2Tq//XdjpVoDpsSL0xcjua0Ytbll1KLa sVyIsHD4rxTTXJ0EVK6lSdPCkUVqm2hDfBr5E4VY54xhgw==
X-Google-Smtp-Source: ABdhPJzOXjkks66brbzkmVQDQnWNeNfWifiLJmF+kv8c99ZA2uXnuW5RuZhh4dfOzxPGkp5XNesX26IAvtr2FD73o8Q=
X-Received: by 2002:a63:b0f:: with SMTP id 15mr12420275pgl.6.1590850750125; Sat, 30 May 2020 07:59:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaBBKvcGMFRxxuVvfBo2Z96mqiEwLfG7H2ZQw0m5+TMnVg@mail.gmail.com> <36e4f801-f61f-4f7e-3a5f-2e68b5cf0f29@wizmail.org> <CAF8qwaD81mA9mp0LFXAAamZc_PvSrqpbSEqUt=vzzRp9u3=o+Q@mail.gmail.com> <48784e43-d01c-2c1e-c1b2-d6397b5ebae3@wizmail.org>
In-Reply-To: <48784e43-d01c-2c1e-c1b2-d6397b5ebae3@wizmail.org>
From: David Benjamin <davidben@chromium.org>
Date: Sat, 30 May 2020 10:58:54 -0400
Message-ID: <CAF8qwaCz0DMQ9QS1U118otn4uxVZq8BzXun6w80zDLV+FgjH8A@mail.gmail.com>
To: Jeremy Harris <jgh@wizmail.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da853b05a6decd19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nkokLDG9uMMKq8kLj4SzKLbFBlw>
Subject: Re: [TLS] TLS 1.3 and TCP interactions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2020 14:59:13 -0000
On Fri, May 29, 2020 at 8:06 PM Jeremy Harris <jgh@wizmail.org> wrote: > On 29/05/2020 22:52, David Benjamin wrote: > > On Fri, May 29, 2020 at 5:36 PM Jeremy Harris <jgh@wizmail.org> wrote: > > > >> On 29/05/2020 21:59, David Benjamin wrote: > >>> Moreover, in a client-speaks-first protocol, the error now comes after > >> the > >>> client has already sent its request. This is not only a behavior change > >> but > >>> makes it unreliable over TCP. TCP sees: > >>> > >>> > >>> 1. > >>> > >>> Client: write(ClientHello); > >>> 2. > >>> > >>> Server: read(ClientHello); write(ServerHello..Finished); > >>> 3. > >>> > >>> Client: read(ServerHello..Finished); write(Certificate..Finished); > >>> 4. > >>> > >>> Server: read(Certificate..Finished); write(bad_certificate); > close(); > >> > >> Rather than close(), the server should shutdown(SHUT_WR) > >> > >>> 5. > >>> > >>> Client: write(“GET / ...”); read(???); > >>> > >>> > >>> Note (4) and (5) happen in parallel. Ideally ??? would be a > >> bad_certificate > >>> alert, but it is sometimes a TCP reset. I’m not a TCP expert, but I > >> believe > >>> this is because the client writes data (“GET / ...”) the server never > >>> consumes. > >> > >> ... because, having solely notified that it will send no more, the > >> server is free to continue to read from the socket. > >> > > > > The server's application logic has no reason to continue to read from the > > socket. > > Perhaps not, though I suggest it is valuable to it for debug and > development to be able to see the client's reaction to the shutdown.\ > I have never seen a production server do this. > However, you ignored the value of the shutdown() action not resulting > in a RST. That means that the client view becomes deterministic; > your "read(???)" in the close/RST scenario becomes > "read(error, ALERT:bad cert)". > Yes, I said exactly this twice now. :-P Except the shutdown() isn't the deciding factor. It's the lack of close(). shutdown(SHUT_WR) doesn't hurt, but the alert already signals to the client that the connection is done. > It seems the only fix is for the server to keep the connection alive for some time after the failure, maybe draining some bytes from the application, with some limit before giving up and resetting if the client seems to be writing a lot of data without ever reading. This would need to be quite up the stack. We have not implemented this. However, there are two problems here. First, the server needs to call close() eventually to release resources. This is a failed connection. The natural thing to do is to tear down the connection state which, ultimately, will destroy the socket in the natural implementation. In particular, connection management is often outside the low-level TLS library. The HTTP server is simply doing something like: if (tls_server_handshake(connection->tls) != TLS_HANDSHAKE_SUCCESS) { // Release all resources associated with connection. It's not needed anymore. // This, among other work, needs to call close(connection->fd). The caller here // is not a TLS expert and reasonably assumes that the TLS library has sent // any data it needs to send. But the TLS library doesn't own the fd and can't // prevent the close. delete_connection(connection); } If the HTTP server software is aware of this mess, it can certainly get the right behavior by leaving the socket open for longer, releasing it later after a timeout or so. This is not obvious, hence the note here, so folks would be aware of this interaction. Moreover, simply closing the socket on error worked just fine in TLS 1.2, so most existing HTTP server software are not going to keep their connections alive after error for the sake of it. Additionally, as noted in the original email, leaving the socket open is insufficient if the client's first write exceeds the transport buffers. Either the client needs to eagerly read (not an obvious expectation, nor something that all clients do, hence the email), or the server must drain the socket (an *especially* non-obvious expectation). David
- [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Jeremy Harris
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Watson Ladd
- Re: [TLS] TLS 1.3 and TCP interactions Nico Williams
- Re: [TLS] TLS 1.3 and TCP interactions Jeremy Harris
- Re: [TLS] TLS 1.3 and TCP interactions Viktor Dukhovni
- Re: [TLS] TLS 1.3 and TCP interactions Ilari Liusvaara
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Nico Williams