IETF Logo Mail Archive

Re: [TLS] new error alerts?

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 24 July 2015 05:50 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DCA1B2F1E for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 22:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrKqj4dXlgfZ for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 22:50:36 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0102.outbound.protection.outlook.com [207.46.100.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F33A1B2EB4 for <tls@ietf.org>; Thu, 23 Jul 2015 22:50:35 -0700 (PDT)
Received: from BLUPR03MB1393.namprd03.prod.outlook.com (10.163.81.14) by BLUPR03MB002.namprd03.prod.outlook.com (10.255.208.36) with Microsoft SMTP Server (TLS) id 15.1.219.9; Fri, 24 Jul 2015 05:50:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lJ1FZm+eFFn+kTCGHxjZXjgq1nJiRPkH9rtPyNS3QjY=; b=OpJS43vIZ+hNyYb+3EQSRLc+33kC2UF0peSKiPGWWhhMDvcYnTxj/pXRKSWigG4Bluvy8eSVQtBgg7iDV2IK/YSDuasUfEqg3nFQHHqrvuopCsJ4PacvM1NErdVoYRMMT8BxKd+fvx67d0EKvGAONMo8waZc2tcNHygzkAn/EdI=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1393.namprd03.prod.outlook.com (10.163.81.14) with Microsoft SMTP Server (TLS) id 15.1.225.19; Fri, 24 Jul 2015 05:50:31 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0225.018; Fri, 24 Jul 2015 05:50:31 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Dave Garrett <davemgarrett@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] new error alerts?
Thread-Index: AQHQxZ/bGudh2TqShEeKMw5Vn1emwZ3p6+uQgAAmpoCAAAhMIA==
Date: Fri, 24 Jul 2015 05:50:31 +0000
Message-ID: <BLUPR03MB139601B70F3BA143B15296178C810@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <201507222139.46391.davemgarrett@gmail.com> <CABcZeBO=VjGVYZ2B803Emaco62tz9jX_5nbAn7Nk6UCP9Q76PQ@mail.gmail.com> <BLUPR03MB1396750B52053B7AEFF418B68C810@BLUPR03MB1396.namprd03.prod.outlook.com> <201507240109.25969.davemgarrett@gmail.com>
In-Reply-To: <201507240109.25969.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [90.181.160.186]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1393; 5:Rjca4boHvp4+iEZjJOOrzJxLap/cT3RneK575NvLnUGQARmcPiBvotR9lyMXiqsiw3jgP528dnM2UzQC8vGeeNnP7gzizcqJXytMi8tuDpgGAVuZ7RWlVklPyY/YW7fEOAHOdX15B7Hg9KjfG/jGVg==; 24:/UCTf8G5brOm6h88QQQAirnG8tNCzfztuPEWXa7cZfpldi2pvcQ605X49Lr+0reLVT0rdMPje/BQWTJeglTySsXijWNM0FHx2b6oUbxT68c=; 20:urOe+mtQ5SI1noe8JiGhhavC0p8r+WyZ3ZMgIYPexQW/wWqoxxbKh1mRgQIcU7wxOjKK8ijLrnE23fV4ToYkEQ==
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1393; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB002;
blupr03mb1393: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR03MB1393B6E7CB6253EFBBF42D448C810@BLUPR03MB1393.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1393; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1393;
x-forefront-prvs: 0647963F84
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(24454002)(13464003)(377454003)(19580395003)(50986999)(54356999)(5003600100002)(122556002)(76576001)(40100003)(77156002)(33656002)(93886004)(62966003)(19580405001)(76176999)(2900100001)(86362001)(189998001)(92566002)(86612001)(2950100001)(5001770100001)(5001920100001)(66066001)(106116001)(74316001)(102836002)(2656002)(77096005)(5002640100001)(5001960100002)(99286002)(10090500001)(46102003)(87936001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1393; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2015 05:50:31.3699 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1393
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB002; 2:jerprggjPnG6byPxtSzPUlP7FU9oKW+QPK0NAl9SO0hmsxdzG4FJgzYABsQS7lWW; 3:GNWfvVN/Wd5tjLBW3FxmfnuQ+JHZ+rY5CSKyVgo8h62dwdTLAgn0WVofL0V1djAmlJFrzIytlQlkMPy75HYUP9MPWNm85FnoRt7dM0aWqqg7i+o+uMG/35LH2A401MYYXP5J97b0vT5qubKz92cH5A==; 25:evJ+c2vrGJB85lEUH/a3r8+tQMGLtXoDfav3GtHGUyZ9AOIOat73zIP84I8dw3MH7xJEWNPxVXYe7IPPnBRxicvLyRHk91HbruS9mCfhMI+2RPJXTivk1VSF+G2qz2ELv7cKkHdVsSos0TNCjd1ehP7fD1E0xLsQG37/tCiaBmW24tAnbgG781LoVNhtYv6JUZLNfiON4jazsTsw9MVEbaWafg2KXBUyfi87RhzPn9bZvTrDqFoxILDNb1GFfyn/nB4eegNG+54QL2x1RXZzXQ==
X-Microsoft-Exchange-Diagnostics: 1; BLUPR03MB002; 20:p3cVgh8PsDgFnY4BFBtXdX3YGirR9aKfF6PNFrxqDty4iLI0u7CUmjgza/ZV+sRM/+kj9dOOrKZaejDa6KrPDnVXfYykRnlGuTXaFf/FnjABoL1/Y2wJOq1813rmMtL9ScwHWCkfYnzRowLCb0Wm9PI2SMlsSYQL0B1XuSbnnUH+ulV1X3s4QSJ4UceMjS92th97WX2pMw2rmZydtnNsxN2wh9/4LABeb+YymI/HQ+nRYrBRLL7W/U2DcOn2O0r3JLO7paKzg6QWk+NHTbEZic+45OFSbV4pCOqIe9pTUF6nYjH6li2/oN8C20Uc7YA3ZY8VnatSDMngQfxbb/f0Kzvwc0bYHcC2YC4AHjSDBMRC1ouJRtPLX7ck2IUbzI6aG4Zwh0ZA9EkysIvaaYQw1daoNMnKrPTdWA61Fv3TUJ2ZVW7g7aCaMbCV/xf90oAN/MaYM5fMQqKaXrbZjS0eEfqIaq0Sqd5lx4kv8247xvXCIkcgxPsBP/uq3m44DLco; 23:2CyS6M1TYyRr22lil0MxTepEaQVm2VrA0bsQvVcyZBgEuRavmc203uP4jpTd3tEOXuzcY3RMsF/oLIrcPoRu7eLZJZNSTFw8JoTpRZ+PMTWlsd2JDl0olngdQvnqfRpE51OK8pensxtwnL9PnlFl7djaxvkZZn9aQmiZLYDjJgj7rlZk8APy9RFpmSMN0PCSAz0ypedGh8CUjr7Pqg2rtmiqB1VYC+VYcxFnB6mgFXsicVKKYuYh0t5SYQfYMn2V
BLUPR03MB002: X-MS-Exchange-Organization-RulesExecuted
X-OriginatorOrg: microsoft.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/w-WPpfqrywLCe8P7nueysViPC4E>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] new error alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 05:50:38 -0000

> I'm proposing renaming "insufficient_security" to "unsupported_cipher_suites", which is explicitly what it's been for since TLS 1.0.

Not quite. Insufficient_security alert is defined as follows:
" Returned instead of handshake_failure when a negotiation has
   failed specifically because the server requires ciphers more
   secure than those supported by the client.  This message is always
   fatal."

This is a very narrow and specific definition. The server says "I know all the cipher suites the client advertises, and consider them too weak". By contrast, unsupported_cipher_suites means something like "I don't have a cipher suite in common with the client". The latter can happen when the client's cipher suites are more secure than the server's.

> What I want is to add a new "unsupported_groups" alert to use instead. (both here and there) The "client_authentication_failure" alert suggestion is to pull that out of the "handshake_failure" catchall.

I have absolutely no problem with the new alerts; my concern is about redefining existing alerts (and, for that matter, redefining existing cipher suites:)).

Cheers,

Andrei

-----Original Message-----
From: Dave Garrett [mailto:davemgarrett@gmail.com] 
Sent: Friday, July 24, 2015 7:09 AM
To: Andrei Popov; Eric Rescorla
Cc: tls@ietf.org
Subject: Re: [TLS] new error alerts?

On Thursday, July 23, 2015 10:52:59 pm Andrei Popov wrote:
> Rather than renaming and otherwise modifying the meaning of the existing alerts, would it be better to define new, more granular alerts in 1.3? We can’t ascribe new meanings to alerts generated by the code we’ve shipped in the past.

I'm not proposing changing the meaning of existing alerts. At most, the Negotiated FF-DH draft would need to be updated/fixed.

I'm proposing renaming "insufficient_security" to "unsupported_cipher_suites", which is explicitly what it's been for since TLS 1.0. There isn't a specific error defined for lack of a supported group yet. RFC 4492 just says "fatal handshake failure alert". The Negotiated FF-DH draft has "insufficient_security" for unsupported group. _That_ does change the meaning, as previously it was explicitly defined for cipher issues only. What I want is to add a new "unsupported_groups" alert to use instead. (both here and there) The "client_authentication_failure" alert suggestion is to pull that out of the "handshake_failure" catchall.

I just want to clarify the existing alert, not reuse it for a related but distinctly different alert, and not lump stuff into a catchall that we can't debug. ;)


Dave

v2.23.0 | Report a Bug | By Email