IETF Logo Mail Archive

Re: [TLS] Should we require implementations to send alerts?

Brian Smith <brian@briansmith.org> Thu, 17 September 2015 22:30 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D1631A1BC8 for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYWw0HdG7qvx for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:30:13 -0700 (PDT)
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E371A1BB1 for <tls@ietf.org>; Thu, 17 Sep 2015 15:30:13 -0700 (PDT)
Received: by igbni9 with SMTP id ni9so5786006igb.0 for <tls@ietf.org>; Thu, 17 Sep 2015 15:30:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KtTml8yY1rW9U499lAxP4JR5ISWrLEvWAdm/c6NEDxI=; b=OwDLJjsNVBj2ONVY6HDVd/TYWBJpkR3qB94xRMV/yzzjUdLSJpB/fsysa55f5H9HsR zEm/D6pfTKC8BIrHrElk1VRZQk4WY2jmQ6WXOBAPxhAPaALozPzxonVVyzo9lT4x/QSm Tkos7fMSN4SkD9TLPNcQpkdNE69unidtRU3OGtPzz/m9rpw2DBLA4j2oGpAzMfpOxu0o q+vGSQtyz3d6L88sDeYgXQzcZVqmyVbrjZK1QrNzjmTmqsh4p2FjWO52hUO3MjGKmY/F qUtgVIBwe+Z0lVjrAn4OGvc12/7ZroQRuraySxWsZRG9RFr6J4yAJLBw5dGhquG1Fkyy xjlw==
X-Gm-Message-State: ALoCoQn+usVVLCIrrI9OYJ2WDGZzLZpuXE2teobmJXRUsjYSC75z5Ip4my30QKGAkSLY64glmqeL
MIME-Version: 1.0
X-Received: by 10.50.70.67 with SMTP id k3mr10907798igu.76.1442529012633; Thu, 17 Sep 2015 15:30:12 -0700 (PDT)
Received: by 10.79.107.204 with HTTP; Thu, 17 Sep 2015 15:30:12 -0700 (PDT)
In-Reply-To: <CABkgnnVjQ3yqvJeuCAfL0Fx6BR0xAWhf1eKmVWXWY2nkRwfLGg@mail.gmail.com>
References: <CABcZeBPnO4zn_HkvwLpLC+EVYN8EKOBEsR80oRt3HZgsiNGDoQ@mail.gmail.com> <CAFewVt6JAY20iXGZhufFRHSUrs5kVzP_CO2VmR5c1vaM-D_KZQ@mail.gmail.com> <20150917205004.GW13294@localhost> <CAFewVt4ayyOfzQBgAkSEu7R+x+0PjHbxCWd400fSLrzoQYsTAA@mail.gmail.com> <CABkgnnVjQ3yqvJeuCAfL0Fx6BR0xAWhf1eKmVWXWY2nkRwfLGg@mail.gmail.com>
Date: Thu, 17 Sep 2015 15:30:12 -0700
Message-ID: <CAFewVt5CtVkgoA6Ls8_yd2f5b3TOONStGXHyCs8jxHap1qWPKg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b3a8a6460757a051ff8f5e5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rZ-WUm2L5Z8yiyz9XxK81VNhGzs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 22:30:15 -0000

Martin Thomson <martin.thomson@gmail.com> wrote:

> On 17 September 2015 at 14:46, Brian Smith <brian@briansmith.org> wrote:
> > Browser vendors, if web servers were to stop sending alerts during
> handshake
> > failures, would you start doing version fallback when a connection is
> > closed?
>
> I'm not sure.  We still have a small amount of vestigal fallback code
> in our code.  We are gradually killing version fallback off and
> removing alerts would likely set that effort back.
>

Actually, Firefox has already stopped doing version fallback completely for
all versions of TLS it supports, unless the website is on a whitelist.
That's not really "gradually."

We're not sure where we stand with version fallback and 1.3.  We don't
> know how much version intolerance 1.3 will generate.  That at least
> might not depend on alerts, though we don't know just yet.
>

A conformant TLS 1.3 implementation cannot be version intolerant. If it
were version intolerant then it would not be a conformant TLS 1.3
implementation. So, conformance requirements for TLS .1.3 servers don't
matter as far as version intolerance is concerned.


> I don't see much support for the notion that forbidding alerts is a
> good idea.  We use alerts quite a bit for basic diagnosis.  Bad
> configurations are pretty commonplace, the most common being one where
> there is no common cipher suite.  Being able to isolate the error that
> is pretty useful.
>

I still think it is better to recommend to never send alerts. But, at least
there are good reasons (which I gave much earlier in the thread) for why a
server would choose not to send alerts, e.g. out of an abundance of
caution. So, "MUST send" is clearly too far.

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email