Re: [TLS] TLS 1.3 and TCP interactions
David Benjamin <davidben@chromium.org> Fri, 29 May 2020 21:53 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B52B3A10D7 for <tls@ietfa.amsl.com>; Fri, 29 May 2020 14:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeBd8HVYs0AZ for <tls@ietfa.amsl.com>; Fri, 29 May 2020 14:53:01 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16AA33A1083 for <tls@ietf.org>; Fri, 29 May 2020 14:53:01 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id a4so479870pfo.4 for <tls@ietf.org>; Fri, 29 May 2020 14:53:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jYMysZRYiLwiUo1Qn4RZ/Cgwn3ZwlNl51kUav1o/xI8=; b=aF/Jw4g1hlzN0hECeWrVV3kO9QUFQ5xBAo/l2z6u6AWWMPH6NDFwkiBA5tqrTdeRMK mMmOEx9k2G4Hykoc2DOS/PsTTXNSWw3VTl/Orx5esG1EO3CCmjnPQJdlBd3WxpY6Azug Rl6VEUrSeKd+FnP0w9Q8Q5JZMOadFC62xARv0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jYMysZRYiLwiUo1Qn4RZ/Cgwn3ZwlNl51kUav1o/xI8=; b=NlSgSrkU1WEjXvl5AM/5fMJfE/e9bSarx2LSME4cp+wY+EArEluWQewhUmgokdaMc5 6BNgey/aahHCf101bTwWA3qJeqRCrXFtaAYnYcdKGdVeIIrxVMuBXULNcVioewGSFeCw zH939BVOhF6z5vddfnKkzeGLxNeF3/275w9mvcmNeZnuxr9wBpoaF3Ji2TqelEbUgyVl OHTrFrS6Y+mmylCLXn0pB5g6ZVj3eotQ2qEgaNeClUKOoTa5x1fHxLJOJhdJcjDmF40K UCGMQdjwpYSne1bLQbiUlGDYYg7juMY4py2rmJluKAy3alg5TG/sDe6UCcHX5e81pDra 7V3w==
X-Gm-Message-State: AOAM531QXO1OgP4A2gKeSzZLSi09G+Q+3i+hoPgKY7BTNA6QMu5Jkmm9 vkXKCbINJLCLVGCNYRR1rKRYWbPZ+7obEyuQDfd8xui5Fw==
X-Google-Smtp-Source: ABdhPJyYYf5V11xdnH9LFXwpWGv0eDwO0TNkk0M+1Lipzasciim1X9dFPrWxiqy5QNx4uiVL5qyAQiFazu7mAiuC5v4=
X-Received: by 2002:a63:d40c:: with SMTP id a12mr10104659pgh.124.1590789180240; Fri, 29 May 2020 14:53:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaBBKvcGMFRxxuVvfBo2Z96mqiEwLfG7H2ZQw0m5+TMnVg@mail.gmail.com> <36e4f801-f61f-4f7e-3a5f-2e68b5cf0f29@wizmail.org>
In-Reply-To: <36e4f801-f61f-4f7e-3a5f-2e68b5cf0f29@wizmail.org>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 29 May 2020 17:52:43 -0400
Message-ID: <CAF8qwaD81mA9mp0LFXAAamZc_PvSrqpbSEqUt=vzzRp9u3=o+Q@mail.gmail.com>
To: Jeremy Harris <jgh@wizmail.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000000a4bd05a6d078a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xQy4EuzYlIctDYcmd3LpOx6PSpM>
Subject: Re: [TLS] TLS 1.3 and TCP interactions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 21:53:02 -0000
On Fri, May 29, 2020 at 5:36 PM Jeremy Harris <jgh@wizmail.org> wrote: > On 29/05/2020 21:59, David Benjamin wrote: > > Moreover, in a client-speaks-first protocol, the error now comes after > the > > client has already sent its request. This is not only a behavior change > but > > makes it unreliable over TCP. TCP sees: > > > > > > 1. > > > > Client: write(ClientHello); > > 2. > > > > Server: read(ClientHello); write(ServerHello..Finished); > > 3. > > > > Client: read(ServerHello..Finished); write(Certificate..Finished); > > 4. > > > > Server: read(Certificate..Finished); write(bad_certificate); close(); > > Rather than close(), the server should shutdown(SHUT_WR) > > > 5. > > > > Client: write(“GET / ...”); read(???); > > > > > > Note (4) and (5) happen in parallel. Ideally ??? would be a > bad_certificate > > alert, but it is sometimes a TCP reset. I’m not a TCP expert, but I > believe > > this is because the client writes data (“GET / ...”) the server never > > consumes. > > ... because, having solely notified that it will send no more, the > server is free to continue to read from the socket. > The server's application logic has no reason to continue to read from the socket. This behavior typically comes from layers above the stack. From the server's perspective, the TLS library just said the handshake failed. It required a valid client certificate during the handshake, and the client did not produce one. This is fatal to the connection, so the server has no reason to keep it around and no application data to read or write. The issue is that we've tweaked the I/O patterns in TLS 1.3 such that the resulting overall behavior interacts badly with TCP. The server could shutdown(SHUT_WR) and intentionally hold on to the socket and drain data, in order to get the alert through. That's one of the options I described: > It seems the only fix is for the server to keep the connection alive for some time after the failure, maybe draining some bytes from the application, with some limit before giving up and resetting if the client seems to be writing a lot of data without ever reading. This would need to be quite up the stack. We have not implemented this. This, however, has DoS implications for the server and is a very different API shape from many current TLS libraries. David
- [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Jeremy Harris
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Watson Ladd
- Re: [TLS] TLS 1.3 and TCP interactions Nico Williams
- Re: [TLS] TLS 1.3 and TCP interactions Jeremy Harris
- Re: [TLS] TLS 1.3 and TCP interactions Viktor Dukhovni
- Re: [TLS] TLS 1.3 and TCP interactions Ilari Liusvaara
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions David Benjamin
- Re: [TLS] TLS 1.3 and TCP interactions Nico Williams