Re: [TLS] TLS 1.3, how to close the read side of a connection?
David Schinazi <dschinazi@apple.com> Wed, 07 March 2018 18:19 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFF91271DF for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 10:19:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x_A00pHXCcyd for <tls@ietfa.amsl.com>; Wed, 7 Mar 2018 10:19:14 -0800 (PST)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2612120721 for <tls@ietf.org>; Wed, 7 Mar 2018 10:19:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1520446754; x=2384360354; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MQN0S5DqTKQKyArimyGqJCFHhycw+efd0muqA3tcMJw=; b=fscgXl4uCnRQKWT6RWPabwSUwU0/G9x6LDoVz/vSazbQ0MAZCyAuqw/CLr2VSR7L c6CywOh0qR+l+WWWzWEeDZG5Cgl5gFCklp8RFS32yyl4Q+VfXNBXeoyFP+66lMz6 QSISnEbXbnPCu9wcve1rOHx2IfFElSvnQBxCrl10iNCiTqbelXusAUFjt2w4h3tl 2QdF/ut9f02dSFCFxaIUb1yGRloyNzvrBsj2sLJIAxb7kWOqtZ+CQEbPjvMib7X5 OU6qfgFwstdm1SgSdK58C6ZfW9SLjfT215Kn3tK/svXX6sb9t3hUGQbN3NPkIgj9 gdwUbpXUfhRDgO+iORDWhw==;
Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 1A.1E.13823.22D20AA5; Wed, 7 Mar 2018 10:19:14 -0800 (PST)
X-AuditID: 11973e11-d4eb59e0000035ff-d0-5aa02d222b65
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by relay5.apple.com (Apple SCV relay) with SMTP id D1.1D.23499.22D20AA5; Wed, 7 Mar 2018 10:19:14 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_KOiROKZsgbRvuAP5dxL1Fw)"
Received: from [17.192.155.180] (unknown [17.192.155.180]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.2.20180130 64bit (built Jan 30 2018)) with ESMTPSA id <0P5800305G82X940@nwk-mmpp-sz13.apple.com>; Wed, 07 Mar 2018 10:19:14 -0800 (PST)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <27F60992-04BF-4803-95F4-4F15E4E434FD@apple.com>
Date: Wed, 07 Mar 2018 10:19:13 -0800
In-reply-to: <CABcZeBM-XM4XeeKuAjpBizDOxOvqN92-QRp5-T371xkTi6BmgA@mail.gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
To: Xuelei Fan <xuelei.fan@vimous.com>
References: <CAJR_8q+LmWLk92dEq6ZQ0+jsanWJLbptB4RwdmkhNncSLZs6wA@mail.gmail.com> <CABcZeBM-XM4XeeKuAjpBizDOxOvqN92-QRp5-T371xkTi6BmgA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNLMWRmVeSWpSXmKPExsUi2FAYoaukuyDK4E+3pMWK1+fYLT6d72K0 uH9sLbsDs8eSJT+ZPCY/bmP2eLr3AGMAcxSXTUpqTmZZapG+XQJXxuaXs9gLprlUPL42k7WB cZtlFyMnh4SAiUTntBWsXYxcHEICq5kkzjw6wAiT+LDuMjtE4hCjxLmGW6wgCV4BQYkfk++x gNjMAmESX57PZYEomswksfPCFrCEsIC0RNeFu0ANHBxsAloSB9YYgZi8AjYSa+9bQFS4Syy9 dIcNxGYRUJW4fGcKG0gJp0CwRMd8bhCTWUBPYkpnBUiFiICaxN1Vi5kgFs1klNjdOhvqTCWJ 6d9vs4EkJATWsEncnHSUaQKj0Cwkl85CcimErSXx/VErkA2yQ17i4HlZiLCmxLN7n9ghbG2J J+8usC5gZFvFKJSbmJmjm5lnpJdYUJCTqpecn7uJERQb0+0EdzAeX2V1iFGAg1GJh1fiz/wo IdbEsuLK3EOM0hwsSuK8HZvnRgkJpCeWpGanphakFsUXleakFh9iZOLglGpg9FnSntKRkLa/ 6Q2DTvQn3kU8zTe3rquomrc3c2bgDOY6LQ1vx8DKo+KZV38Z6Tpfny9+belX9g/ai9z1/U44 XxdYKWTjfv6zyA22n9tO5noFKC/93O11+FP22Z3tSc8k73zPOq+tzOu0V6zeIYIj66nQ40q9 P2KMF+IjxLY/qo/nmKEV4KypxFKckWioxVxUnAgA9QAdsm4CAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrHLMWRmVeSWpSXmKPExsUi2FB8Q1dJd0GUwfV2MYsVr8+xW3w638Vo cf/YWnYHZo8lS34yeUx+3Mbs8XTvAcYA5igum5TUnMyy1CJ9uwSujM0vZ7EXTHOpeHxtJmsD 4zbLLkZODgkBE4kP6y6zdzFycQgJHGKUONdwixUkwSsgKPFj8j0WEJtZIEziy/O5LBBFk5kk dl7YApYQFpCW6LpwF6iBg4NNQEviwBojEJNXwEZi7X0LiAp3iaWX7rCB2CwCqhKX70xhAynh FAiW6JjPDWIyC+hJTOmsAKkQEVCTuLtqMRPEopmMErtbZzNCnKkkMf37bbYJjPyzkBw3C8lx ELaWxPdHrUA2yFh5iYPnZSHCmhLP7n1ih7C1JZ68u8C6gJFtFaNAUWpOYqWpXmJBQU6qXnJ+ 7iZGcCgXRuxg/L/M6hCjAAejEg+vxJ/5UUKsiWXFlbnAEOJgVhLhNZJfECXEm5JYWZValB9f VJqTWnyIUZqDRUmct+XnzCghgfTEktTs1NSC1CKYLBMHp1QDY0r+jRc8LP93qtTrabgnrVYJ 68rYffRC8YtTsh8uTdnVGMAW47ftYp3y9+b3O/5bPO98vG+ar87XU0Gh/JXTC/m51ULz7lkc yVghUWM4yfbMnkXX0pg/+XxrOpp9NEn5CY+GyAepgh2Vj9ebinB16f5ZuJE1YsIUMcGUNev/ neW3899/yr7CQImlOCPRUIu5qDgRAFn1wkJhAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t_BchtNLAqBzYpNxWGn2o5xtAtA>
Subject: Re: [TLS] TLS 1.3, how to close the read side of a connection?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 18:19:16 -0000
Hi Xuelei, Do you have an example for when you would need to gracefully close the read side? If you're downloading a 10GB video and the user cancels the download, you can simply tear down the TCP connection by sending a RST. The benefit of having a graceful read close would be for the server to know that the client application was done, but in the 10GB video example, I don't see what the server application would do with that information. Do you have an example where the server would treat a graceful read close differently from a non-graceful close? In TLS 1.2 and prior, the client would send a close_notify, the server would reply with a close_notify in the middle of the 10GB of application data. That actually doesn't provide any gracefulness to the server application - the point of close_notify is to indicate that the data you're sending hasn't been truncated, and in this example it does get truncated. Thanks, David Schinazi > On Mar 7, 2018, at 09:51, Eric Rescorla <ekr@rtfm.com> wrote: > > Well, this is like TCP in that respect. You send close_notify and then you either stop reading off of or close the TCP socket. > > -Ekr > > > On Wed, Mar 7, 2018 at 9:40 AM, Xuelei Fan <xuelei.fan@vimous.com <mailto:xuelei.fan@vimous.com>> wrote: > Hi, > > Per TLS 1.3 draft (Section 6.1, Closure Alerts), the close_notify alert is used to notify the recipient that the sender will not send any more messages on this connection. And this does not have any effect on its read side of the connection. I think it means that after sending the close_notify alert, it still can keep reading data from the peer; and after receiving the close_notify alert, it still can keep sending data to the peer. > > The question comes to me is about how to close the read side of the connection. If closing the read side silently, there are potential issues if the application protocol using TLS provides that any data may be carried over the underlying transport after the TLS connection is closed. If sending a close_notify alert, the peer may just treat is as close the its read side and may keep write in its write side. It does not actually close the read side cleanly. If keep waiting for the close_notify from the peer, the local may have to wait until the peer happy to close its write side. It does not sound friendly to the local side. From example, if I download a 10GB video via TLS 1.3 over VPN, looks like there is no way to indicate the server that I want to cancle in the middle of the downloading in TLS layer. I may miss something. I did not find a solution about how to close the read side of TLS 1.3 connections yet. Please help if you have an idea! > > It's not a problem in TLS 1.2 and prior versions, as the peer MUST respond with a close_notify of its own after receiving a close_notify alert. > > Thanks, > Xuelei Fan > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] TLS 1.3, how to close the read side of … David Schinazi
- [TLS] TLS 1.3, how to close the read side of a co… Xuelei Fan
- Re: [TLS] TLS 1.3, how to close the read side of … Eric Rescorla
- Re: [TLS] TLS 1.3, how to close the read side of … Xuelei Fan
- Re: [TLS] TLS 1.3, how to close the read side of … David Schinazi
- Re: [TLS] TLS 1.3, how to close the read side of … Xuelei Fan
- Re: [TLS] TLS 1.3, how to close the read side of … Tony Putman
- Re: [TLS] TLS 1.3, how to close the read side of … David Schinazi
- Re: [TLS] TLS 1.3, how to close the read side of … Salz, Rich
- Re: [TLS] TLS 1.3, how to close the read side of … Tony Putman
- Re: [TLS] TLS 1.3, how to close the read side of … Christopher Wood