Re: [TLS] close_notify and TLS 1.3
Martin Thomson <martin.thomson@gmail.com> Sat, 11 November 2017 15:18 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3065B129A99 for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 07:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BvqPfn5nJpC for <tls@ietfa.amsl.com>; Sat, 11 Nov 2017 07:18:21 -0800 (PST)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8EF1298BA for <tls@ietf.org>; Sat, 11 Nov 2017 07:18:21 -0800 (PST)
Received: by mail-oi0-x230.google.com with SMTP id q4so8687730oic.7 for <tls@ietf.org>; Sat, 11 Nov 2017 07:18:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=AZwAslj/2QK1osKIWzVDenmoHFDb07+sFj+Kj6qlnBg=; b=mBKKQBhT39/Lpse4LGgjw8n8jqgN/xJ0rigX4JqLuUx/Bj6BbJpxsrn822l27vwCWL 5aVOUe2vQPw7FoMrXvXsn8rg5nS95KYZZM6L8zF0RY6hF5hFOGe8kuQ9aaljLgGvrIXD 51evF1qP6s8mDICBpe/7JGP1onRkAqweQv3r7ZVFT4lOhmKR3qQlFBez8Wmk10ojg7LR qVAk5Ro/3YphHqNjW1zb9gJeJVfalewL5d/ntUWxQXIOsYcI8u5MzjUDvdunvBOxSQ+e skoHLp6WOYP980b7XMuL+J41hcRRaEa3hpXBnIWeKkVwzFwmE6U3ZEKNIa8Z7p2Er+c3 MX4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=AZwAslj/2QK1osKIWzVDenmoHFDb07+sFj+Kj6qlnBg=; b=lTkG8FBcvbc8RYQET+MW3Gdm/p/+sGUDaoui6niHCd7RkhcTcUIpC47UxznAlmZ9pE UpDxqlY7EL/LD01t4kZUAAkOwGLiqVeB1gtlbebQIwUne9laYsvxNimTYreBs4ig7LPZ /EkrVPdmOWLCBivG6zjny4AK4DEFgzM872GwQ0h4kCg5hj+0Zleq+DxDU0tufstNATjy Ft8dKthNpPicPRHeChannYR3MHIJefSQ79K4eii86s71WcUqFQgsD/Kkhb/Cl2kvYTFO lDL96PDz1X00zfylui6o0eHNRC5jW3ksEVb0iKds+8CB11BD+DjQEzZJcPwN8ImR4wRo 2NCA==
X-Gm-Message-State: AJaThX5PtUb08f/u5rww0cPz5a+ZHQv2+sVRxYnVdvx8+jbdphCHNpON EAqpzE6m0L2ZZ0dHDHSfktbc7t5UsmxpfqGlIzklKA==
X-Google-Smtp-Source: AGs4zMbgvIiA4/fkXVfXxkNsPfGAc3hYylxvDkCGvkAvwnW31bqrNB/uMSx2sORlPpqnWKcTkEdgQCGx+AKxV4nCegw=
X-Received: by 10.202.225.130 with SMTP id y124mr2192138oig.88.1510413500787; Sat, 11 Nov 2017 07:18:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.8.11 with HTTP; Sat, 11 Nov 2017 07:18:20 -0800 (PST)
In-Reply-To: <A6C599ED-3F3D-462F-9B39-1FEF6A0B549B@apple.com>
References: <A6C599ED-3F3D-462F-9B39-1FEF6A0B549B@apple.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 11 Nov 2017 23:18:20 +0800
Message-ID: <CABkgnnU3OuzEm2gF6BYif4c0evAfzUYH-PpxoERD9xFEosQ_oQ@mail.gmail.com>
To: David Schinazi <dschinazi@apple.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ulEOg1BccW5nei_BwGy0WoTjlYc>
Subject: Re: [TLS] close_notify and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2017 15:18:23 -0000
This seems like it might be worth looking at. This seems to be something that harks back to SSL3 or even earlier. We aren't going to make it so that you can rely on this behaviour, but we might be able to make it possible to half-close, which for new protocols using TLS could be hugely useful. On Sat, Nov 11, 2017 at 5:21 PM, David Schinazi <dschinazi@apple.com> wrote: > Hello all, > > Currently TLS 1.3 specifies close_notify in the same way that TLS 1.2 did. > I believe that has issues and this might be the right time to fix them. > The purpose of close_notify is to protect against data truncation attacks, > each side is required to send close_notify before closing the write side of > the transport connection so the other side knows that the data was not > truncated. > As such, close_notify only needs half-close semantics to prevent truncation. > > However, the specification contains the following text: > << Each party MUST send a “close_notify” alert before closing the write side > of the connection, unless some other fatal alert has been transmitted. > The other party MUST respond with a “close_notify” alert of its own and > close > down the connection immediately, discarding any pending writes. >> > > This means that an application-layer client can't send a query then close > their > write transport when they know that they're done, because the server would > terminate the TLS session before sending the reply. On top of this, when > the server receives the close_notify, it may have already sent part of the > reply > (or wrote it to the socket send buffer) so the responding close_notify would > in effect be inflicting a truncation attack on the client. > > This doesn't make much difference for HTTP because clients already > don't close their write transport after sending a reply, however having the > option do do this could allow innovation in new protocols that can define > the semantics of when they use close_notify. An example is DNS PUSH: > https://tools.ietf.org/html/draft-ietf-dnssd-push > > A proposal to solve this problem would be to give close_notify half-close > semantics: we keep the requirements that a close_notify be sent before > closing the transport, and that any data received after a close_notify is > ignored, but we simply remove the requirement to immediately reply > with a close_notify. This has the advantage that current implementations > are already compliant but future ones can leverage this improvement. > > What do you think? Is this worth discussing on Thursday? > > Thanks, > David Schinazi > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Martin Thomson
- Re: [TLS] close_notify and TLS 1.3 David Benjamin
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 Martin Thomson
- Re: [TLS] close_notify and TLS 1.3 David Schinazi
- Re: [TLS] close_notify and TLS 1.3 Ilari Liusvaara
- Re: [TLS] close_notify and TLS 1.3 Hubert Kario
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla
- Re: [TLS] close_notify and TLS 1.3 David Benjamin
- Re: [TLS] close_notify and TLS 1.3 Hubert Kario
- Re: [TLS] close_notify and TLS 1.3 Eric Rescorla