Re: [TLS] interop for TLS clients proposing TLSv1.1

Geoffrey Keating <geoffk@geoffk.org> Thu, 22 September 2011 00:07 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697411F0C56 for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 17:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NE2uz9I1lxL6 for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 17:07:17 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id 0C31521F8D1D for <tls@ietf.org>; Wed, 21 Sep 2011 17:07:17 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id DCC0033D145; Thu, 22 Sep 2011 00:09:42 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: mrex@sap.com
References: <m27h51ecb8.fsf@localhost.localdomain> <201109212320.p8LNKWl5023077@fs4113.wdf.sap.corp>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 21 Sep 2011 17:09:42 -0700
In-Reply-To: <201109212320.p8LNKWl5023077@fs4113.wdf.sap.corp>
Message-ID: <m239fpe8u1.fsf@localhost.localdomain>
Lines: 23
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: tls@ietf.org
Subject: Re: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2011 00:07:17 -0000

Martin Rex <mrex@sap.com>; writes:

> Geoffrey Keating wrote:
> > RFC 793 says, in section 3.5, that a connection is closed by sending a
> > FIN.  A RST is not a close of the connection but an abort; as RFC 793
> > says, "Such a message indicates to the site B TCP that something is
> > wrong, and it is expected to abort the connection."
> 
> Your on the wrong page, see RFC1122 Section 4.2.2.13.
> Sending RST on cluse, indicating loss of data (that includes future
> loss of data).
> 
> When not lingering on close, the server closes and destroys the socket
> immediately, there will not be a graceful three way handshake and the
> server does not care whether the data is received by the recipient,
> not even whether the data is delivered by the network.

I think we're agreeing?  For the purposes of TLS, you definitely don't
want to do an abort by sending a RST, because it doesn't guarantee
that the alert gets delivered to the endpoint---even if it gets
physically sent, and it's not dropped in transit, the other end may
discard it before delivering it to the TLS layer (flushing its buffers
on receipt of a RST).