IETF Logo Mail Archive

Re: [TLS] Should we require implementations to send alerts?

mrex@sap.com (Martin Rex) Thu, 17 September 2015 22:58 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36DFB1A21BA for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level:
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DToKc8SEYfBJ for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:58:21 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89CC01A21B0 for <tls@ietf.org>; Thu, 17 Sep 2015 15:58:21 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 8F1D3443C1; Fri, 18 Sep 2015 00:58:19 +0200 (CEST)
X-purgate-ID: 152705::1442530699-00001EB9-4F184298/0/0
X-purgate-size: 2816
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7C8D34048C; Fri, 18 Sep 2015 00:58:19 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 725411A293; Fri, 18 Sep 2015 00:58:19 +0200 (CEST)
In-Reply-To: <CAFewVt5g_+beKQCg4Y+a7b6QcuJSRXcRm+wY+upDYAusJoRa8Q@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Date: Fri, 18 Sep 2015 00:58:19 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150917225819.725411A293@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wLPDs8IKTCvOhZzsZbQYIvkasCM>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 22:58:24 -0000

Brian Smith wrote:
> 
> There's no evidence that the presence or absence of an alert when a
> connection is closed makes any positive difference in the security of any
> non-secure fallback mechanism. Keep in mind that the alerts during the
> handshake are NOT authenticated, and the TLS threat models thus assumes
> that the attacker can remove or alter them.

Alerts can help troubleshooting/debugging, in particular when one only has
access to logs/traces of one of the communication peers.

Alerts are not authenticated, and whenever they're the last message
on a connection, could get lost on socket closure (killed in a tcp
socket when pipe is full and lingering not enabled), or could get
stripped by an attacker.

How many TLS implementation remove a session from the session cache
if the session ends without close-notify?  The original idea wasn't
really well thought-out, because implementations may start TLS session
"forking" (storing sessions in cache and proposing their resumption
on parallel network connections) immedately when the TLS handshake
has completed (and before any app-level request & response has completed,
i.e. long before a close-notify alert will be exchanged.

There are TLS implementations that use a transport-free programming API,
which means that the decision to send a fatal alert over the transport
is not a decision of the TLS implementation, but of the application caller
on top.  And that application caller may not bother with processing any
"transport requests" that accompany a fatal API error code at all.

Microsoft' TLS implementation (SChannel) is an example of a transport-less
implementation, and neither MSIE nor IIS send fatal TLS alerts over the
wire before they close the network connection after a TLS handshake failure.
(I don't have any Windows 8.x or 10 machines, so I don't know whether
 this was ever changed).  You'll have to dig out the TLS alert number
from the windows system event log on the machine where it happened,
which is often not an option when the remote peer from a different
service provider hangs up half way through the TLS handshake.


Easier troubleshooting is IMO a sufficient rationale to justify existence
of the alert mechanism and a "SHOULD send the alert before closing the
network connection".

A "MUST send fatal alert" requirement, however, would be silly (and
will be void in face of rfc2119 section 6 anyway).  What would be
the semantics of such a requirement anyway?

If one of the communication peers closes the network connection
prior to completion of the TLS handshake, then the result is a 100%
interoperability failure.  How is a "MUST send alert" supposed to
affect that outcome when the server does not send one?
Is it a 120% interop failure then?

-Martin

v2.23.0 | Report a Bug | By Email