[TLS] Sending fatal alerts over TCP
Florian Weimer <fweimer@bfk.de> Tue, 20 December 2011 13:15 UTC
Return-Path: <fweimer@bfk.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3928921F8B0B for <tls@ietfa.amsl.com>; Tue, 20 Dec 2011 05:15:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=1.100, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oybSbH9QyeqE for <tls@ietfa.amsl.com>; Tue, 20 Dec 2011 05:15:33 -0800 (PST)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFFA21F8880 for <tls@ietf.org>; Tue, 20 Dec 2011 05:15:33 -0800 (PST)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1RczXX-0008Ri-GR for tls@ietf.org; Tue, 20 Dec 2011 13:15:31 +0000
Received: by bfk.de with local id 1RczXX-0001WR-Dn for tls@ietf.org; Tue, 20 Dec 2011 13:15:31 +0000
From: Florian Weimer <fweimer@bfk.de>
To: tls@ietf.org
Date: Tue, 20 Dec 2011 13:15:31 +0000
Message-ID: <82ehvzidu4.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [TLS] Sending fatal alerts over TCP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 13:15:34 -0000
TCP has the property that connection shutdowns can overtake application data if connections are used in full-duplex mode. Here's an example: X sends a fatal TLS alert to Y X shuts down the connection Y sends data to X X receives from Y, sends RST to signal data loss to Y Y receives RST At this point, when Y tries to send further data, it will receive EPIPE from the sockets API. When it tries to read data, it will receive ECONNRESET. According to the socket API sepcification, there is no way to access the initial TLS alert. Note that this behavior is not related to the SO_LINGER socket option. (I see this with an OpenJDK server and a GNUTLS client, when the server sends a certificate_unknown alert immediately after receiving the Certificate message. The client never receives it.) What is the best way to deal with this? I plan to avoid closing the connection immediately after sending the alert, essentially waiting for the client to close the connection. (There will be a short timeout, but denial-of-service issues have to be dealt with out-of-band anyway.) Are there any better options? -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
- [TLS] Sending fatal alerts over TCP Florian Weimer
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Peter Gutmann
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Florian Weimer
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Marsh Ray
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Martin Rex
- Re: [TLS] Sending fatal alerts over TCP Nico Williams
- Re: [TLS] Sending fatal alerts over TCP Peter Gutmann
- Re: [TLS] Sending fatal alerts over TCP Bodo Moeller
- Re: [TLS] Sending fatal alerts over TCP Paul Hoffman
- Re: [TLS] Sending fatal alerts over TCP Florian Weimer