Re: [TLS] sending error alerts: MUST? SHOULD? MAY?

"Ben Laurie" <benl@google.com> Mon, 01 January 2007 11:07 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H1L0s-00054L-Ew; Mon, 01 Jan 2007 06:07:30 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H1L0r-00054B-Lz for tls@ietf.org; Mon, 01 Jan 2007 06:07:29 -0500
Received: from smtp-out.google.com ([216.239.33.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H1L0i-0003mk-5y for tls@ietf.org; Mon, 01 Jan 2007 06:07:29 -0500
Received: from spaceape7.eur.corp.google.com (spaceape7.eur.corp.google.com [172.28.16.141]) by smtp-out.google.com with ESMTP id l01B7Ebk015021 for <tls@ietf.org>; Mon, 1 Jan 2007 11:07:14 GMT
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=received:message-id:date:from:to:subject:cc:in-reply-to: mime-version:content-type:content-transfer-encoding: content-disposition:references; b=wHf1jferMc7PP3fEB5lePamj5lmOf+mwi2HPtJbwu439Iu/JQ07AWP3EtvQ6SEl2C k8njizw9rCX5lqr0yx+Fg==
Received: from wx-out-0506.google.com (wxdi27.prod.google.com [10.70.135.27]) by spaceape7.eur.corp.google.com with ESMTP id l01B7Bsd001834 for <tls@ietf.org>; Mon, 1 Jan 2007 11:07:12 GMT
Received: by wx-out-0506.google.com with SMTP id i27so6038253wxd for <tls@ietf.org>; Mon, 01 Jan 2007 03:07:11 -0800 (PST)
Received: by 10.90.52.2 with SMTP id z2mr13606228agz.1167649631710; Mon, 01 Jan 2007 03:07:11 -0800 (PST)
Received: by 10.90.115.20 with HTTP; Mon, 1 Jan 2007 03:07:11 -0800 (PST)
Message-ID: <1b587cab0701010307r32b56732nf85f545848a449a8@mail.gmail.com>
Date: Mon, 1 Jan 2007 11:07:11 +0000
From: "Ben Laurie" <benl@google.com>
To: "Nelson B Bolyard" <nelson@bolyard.com>
Subject: Re: [TLS] sending error alerts: MUST? SHOULD? MAY?
In-Reply-To: <45984414.2090209@bolyard.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44D32FC2.2080606@bolyard.com> <45984414.2090209@bolyard.com>
X-Spam-Score: -4.3 (----)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On 12/31/06, Nelson B Bolyard <nelson@bolyard.com>; wrote:
> Last August, I wrote to this list about the lack of "MUST" in the RFCs and
> drafts concerning the use of error and warning alerts.  That message is
> quoted below.  I only got one reply, from Peter Gutmann.
>
> I really want to see this situation get fixed in TLS 1.2.  What can I do
> to make that happen?  Do I need to submit a draft with the suggested changes?
> Erik, if I send you a set of suggested changes as edits to the current 1.2
> draft, will you incorporate them?

If you're going to make errors MUSTs you need to do so carefully,
since information leakage through alerts has been the basis of several
attacks on SSL/TLS.

> OBTW, the "newer implementation" that nevre sends error alerts has been
> released since I wrote that first message.  Can you guess what it is?
>
> Nelson B Bolyard wrote:
> > The existing TLS RFCs and IDs don't say that an implementation MUST send
> > any error alerts.
> >
> > There's lots of "will", "should", "may", but not nearly enough "MUST"
> > (IMO) regarding error alerts (whether fatal or not).
> >
> >
> > Consequently, one of the newer implementations (which I won't name here),
> > one with which I've been doing interoperability testing, simply NEVER sends
> > error alerts.  When any problem occurs, it silently closes the connection
> > without offering any clues to the peer about why it has done so.  The
> > developer's explanation to me for the implementation's behavior was simple:
> > the RFCs do not require that error alerts be sent.  Sending error alerts is
> > simply not a MUST.  Doing so is implicitly a MAY, at most.
> >
> > I think this is going to be a nightmare for trouble shooting.  When a peer
> > system drops a TLS connection, we're going to have to rely on the ability
> > of the user or administrator who runs that peer to determine why it did so,
> > rather than relying on alerts.
> >
> > So, I put the question to the TLS WG:  Is there consensus that the RFC
> > language should be strengthened in the next version (e.g. rfc4346-bis)
> > to say that the error alerts MUST be sent, and when?
> >
> >
> > A survey of error alert discussion in the first 40-some pages of the draft.
> >
> > Regarding close notify alerts, the existing RFC and drafts say that "each
> > party is required to" (why not MUST?) send a close_notify alert if no error
> > condition has occurred and that upon receiving a close-notify alert, the
> > peer MUST send one in respnse.  So, close_notify alerts will get sent,
> > but not error alerts.
> >
> > The latest draft says that when an error alert is sent or received, the
> > session MUST be invalidated, but doesn't require that it be sent.
> >
> > The draft says:
> >    "When an error is detected, the detecting party sends a
> >     message to the other party."
> > I think that should be MUST SEND, but as written it's not a MUST.
> >
> > There are some "SHOULD"s in the current draft rfc4346-bis:
> >    "The receiver MUST check this padding and SHOULD use the
> >     bad_record_mac alert to indicate padding errors."
> >
> > I think this was intended to be understood as "MUST check, MUST send an
> > alert to indicate errors, and SHOULD use bad_record_mac alert when
> > appropriate".  But as written, it clearly makes sending any alert at all
> > at most a SHOULD for bad macs.
> >
> > no_renegotiation is a should, (and a MUST NOT) but never a SHOULD nor a
> > MUST.  certificate_unobtainable is a MAY.
> >
> > The text for client_hello says
> >    "The server will select a cipher suite or, if no acceptable choices are
> >     presented, return a handshake failure alert and close the connection."
> > No MUST in there.
> >
> > The alerts on page 30 MUST NOT be sent except when the client used a
> > hello extension.  But there is no time when they MUST be used.
> >
> > In the current draft, I did find a few MUSTs.
> >
> > Page 37 has an inferred "will":
> >    The server will select a cipher suite or, if no acceptable choices are
> >    presented, return a handshake failure alert and close the connection.
> >
> > page 39 has a MUST:
> >    "... if not then it MUST send a fatal "decode_error" alert."
> >
> > section 7.4.1.3 says: "it will respond with a handshake failure alert."
> >     no MUST there.
> >
> > I found two MUSTS in 7.4.1.4.2 on page 44.  Also a SHALL (isn't that
> > supposed to be a MUST?)
> >
> > I'll stop there without reviewing every weak description of an error alert.
> > Let's please have more MUSTs.
> >
>
>
> --
> Nelson B
> 12345678901234567890123456789012345678901234567890123456789012345678901234567890
> 00000000011111111112222222222333333333344444444445555555555666666666677777777778
>
> _______________________________________________
> TLS mailing list
> TLS@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls
>

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls