Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 07 June 2010 18:06 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDBAC3A67AC for <tls@core3.amsl.com>; Mon, 7 Jun 2010 11:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fl13-+HYLstu for <tls@core3.amsl.com>; Mon, 7 Jun 2010 11:06:08 -0700 (PDT)
Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by core3.amsl.com (Postfix) with ESMTP id D9A813A67AD for <tls@ietf.org>; Mon, 7 Jun 2010 11:06:07 -0700 (PDT)
Received: by ewy1 with SMTP id 1so816315ewy.13 for <tls@ietf.org>; Mon, 07 Jun 2010 11:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=0XmP83BA0uLGXc+AJvgHT/5PpSVudz40h1C6BHHaw+4=; b=qBkMeSzV+FPs9bZ7TRnTTfAlEGBeQvkDLICFIUvrxBh09jEPZBX87qhUnklCGkvQ/D vorrOzKf2pUopQ1DltiktjjRiXk+N6QqQ5S9ja5Rk4M4JN6y/6HbYrDHsTL12Y/s+zNQ oLX+tPZf19QlSH1XQ0/zhSZ4cSCACztaqnvmw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=hzOFKHney9KG+EVJ9i5IlvZOtsNg7yTBZ/hnsyGbmlgLZsoxeuCDofU1tX/Jor35Cv u4oSRvh5dQZC0lZ0a77dxUAct/uZG/MMsV9zL0/GzkJgq9GsEc4JuPLvVk/NTg/0m2t2 rv+3inprySjF6nGI+ozyphEb1ynXjOYXxTitk=
Received: by 10.213.9.70 with SMTP id k6mr1085230ebk.54.1275933960909; Mon, 07 Jun 2010 11:06:00 -0700 (PDT)
Received: from [10.100.2.14] (78-23-67-218.access.telenet.be [78.23.67.218]) by mx.google.com with ESMTPS id 14sm2824008ewy.10.2010.06.07.11.06.00 (version=SSLv3 cipher=RC4-MD5); Mon, 07 Jun 2010 11:06:00 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4C0D3507.10803@gnutls.org>
Date: Mon, 07 Jun 2010 20:05:59 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Michael D'Errico <mike-list@pobox.com>
References: <201006071446.o57EkTuW029119@fs4113.wdf.sap.corp> <4C0D321F.4040001@pobox.com>
In-Reply-To: <4C0D321F.4040001@pobox.com>
X-Enigmail-Version: 0.95.7
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 18:06:10 -0000
Michael D'Errico wrote: > Martin Rex wrote: >> >> I actually fail to see the exact purpose of a warning-level alert >> "unrecognized_name". The client is supposed to perform the server >> endpoint >> identification in any case, and that warning should not affect the >> outcome of that process at all. > > I feel like I'm "guilty until proven innocent" on this one. > > Have you ever connected to a secure site only to have the HTML contain a > warning that inadequate security was established? This used to happen > if you connected to www.paypal.com with DES3 (but now it is just closing > the connection). The purpose of that behavior was to give the end user > more diagnostic information than they get when the connection is merely > dropped after sending a fatal handshake_failure alert. TLS doesn't handle this. TLS doesn't even specify a security level for a connection (and it isn't easy to). > It would help if a no_common_ciphers alert was added to TLS. That alert > would be sent when the server doesn't support any of the client's > proposed cipher suites. It could also be used at the warning level in > the case of paypal's former behavior. The handshake would complete > (after sending the warning) How would it complete if they don't have common ciphers? > The unrecognized_name warning alert can provide similar information to a > client application. If something goes wrong and the client application > is looking for a reason why, it can ask the TLS layer if anything strange > happened. If this warning alert was received, that information might > help the client diagnose the problem and determine what corrective action > to take. For the current example it is obvious what went wrong by viewing the certificate sent isn't it? > Clearly you don't see much use for this alert, but you should not impose > that bias on others. It is up to the application to decide what to do > with the facilities provided by the TLS protocol. I think it is important to have a good case of a thing to be handled in code. If a TLS warning alert is _never_ going to be used, or it does not provide valuable information to the peer. However if you think that this information is valuable and it might even save debugging time for implementors then I think it would be a nice opportunity to reconsider (at least for me). Otherwise I think that the information provided by this alert is redundant since it can be also seen by the certificate sent. regards, Nikos
- [TLS] RFC-4366-bis and the unrecognized_name(112)… Yngve Nysaeter Pettersen
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Yngve Nysaeter Pettersen
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Yngve Nysaeter Pettersen
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Marsh Ray
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Marsh Ray
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Saint-Andre
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- [TLS] [Fwd: Re: RFC-4366-bis and the unrecognized… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Marsh Ray
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Gutmann
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Donald Eastlake
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Sean Turner
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… t.petch
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Paul Hoffman
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Marsh Ray
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Saint-Andre
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Joseph Salowey (jsalowey)
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Marsh Ray
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Nikos Mavrogiannopoulos
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Michael D'Errico
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Sylvester
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Sylvester
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Peter Sylvester
- Re: [TLS] RFC-4366-bis and the unrecognized_name(… Martin Rex