Re: [TLS] Alert after sending ServerHello
Martin Thomson <martin.thomson@gmail.com> Wed, 26 April 2017 06:36 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194D212785F for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 23:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wURR8tCeKJfc for <tls@ietfa.amsl.com>; Tue, 25 Apr 2017 23:36:08 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E8A413184F for <tls@ietf.org>; Tue, 25 Apr 2017 23:35:34 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id 88so102297972lfr.0 for <tls@ietf.org>; Tue, 25 Apr 2017 23:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7U4k2/+3hc225LY/iJdJ69M9b90UVCH35a20RdnAmYU=; b=CqnZQTP0AdqVumq5XJ7+nSCKSW/N7Ane6c1jzNcW//rjLZSfZenGbQkH5qZgUGrHXQ Yk3D/SY5eP8EqfiGD1Rx8Xb4KnKnaPziglhkaHooOy8nUyK9nPFgcgE2jKaJUCr8xJGl Rg52hPsvwFUI1tcNwsErr8tMDQy51IImSi2gCNWcnRcAjX5uAg9Gfh4gJ6vvP9wWNUmC xc8QkqBPN4USP/7C304PrrTh+ZT6u2s8xByZdUTiCq2kTPmOVFBhyBG34RrKKWBqM6J8 wqFL6n0C1JcQt1Pd8rZq0fLyDZBFEk1asbrk4rkamEHq8s8TmDJt7qb5JWynQ0nJ8/vj Ql1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7U4k2/+3hc225LY/iJdJ69M9b90UVCH35a20RdnAmYU=; b=mzMRt6sW47NkKW9e2zSeS4Heq8FFzUmDWSZ4/dW9hg7H5qC5/udMmbMHw7R3C6IWEu F5e0VB4pDvxieOuheIaXW/P06woSv+xW9i7GYvrHRQvzNIu/Ryhr7vuwDAQ0PRA20F7A WRuLBMiMHoQOPul2GQtODbCbR+SX2lgWdVY6Q8fXhPuxdMc0wBRbwzzTuO2iUvMiN+Zh rA/qbAOvgOKqyK4qaZPeD/yLui9thNaVXnm5lMIThjqm7jAILREVDJxkBxm5qY+LKZDG OPd1qGgsXqU2EGvJqHuKxKiBOHow8cl/GpE3bosRynTCZjnig9ETH459p1ccMzhBXcrq vl0g==
X-Gm-Message-State: AN3rC/5GtzrfJPk2gvWV2kO8/n9f03OhHQsBh+qlzZw6Kzl6WGF9MjrE MCiKiORm43w4mKt16ptKZBng07l7xA==
X-Received: by 10.25.212.19 with SMTP id l19mr1487985lfg.169.1493188532350; Tue, 25 Apr 2017 23:35:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.83.2 with HTTP; Tue, 25 Apr 2017 23:35:31 -0700 (PDT)
In-Reply-To: <EAF9D3D6-A87D-450D-BCFB-36F8CDC8B14F@symantec.com>
References: <EAF9D3D6-A87D-450D-BCFB-36F8CDC8B14F@symantec.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 26 Apr 2017 16:35:31 +1000
Message-ID: <CABkgnnW9M2Jx77vBtUiGH1y67f6XKbAygOQg_EptqkApxhkZPw@mail.gmail.com>
To: Roelof Du Toit <Roelof_Dutoit@symantec.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xYyRICHrqXq7z78r-2DDa3pHeWk>
Subject: Re: [TLS] Alert after sending ServerHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 06:36:10 -0000
You are allowed to out NSS. We know that it's not ideal. I wrote that code and it's unencrypted for what I think is a good reason (others very much disagree). In part, it has to do with 0-RTT. In 0-RTT, we want to ensure that the client is able to continue sending 0-RTT until the entire server flight is received. Thus, we don't change out the keys until we receive and process the server Finished. The same code is used in 1-RTT. I think that we have a bug in that the alerts are 0-RTT encrypted; it might be better to send them in the clear as well. In effect, we assume that the entire flight is processed atomically and generate errors based on that. Only when the entire flight is processed cleanly do we install keys and respond. This is a pain for us, we don't have the code that Ilari talks about, so some of our tests end up hitting decode errors on the server, but it's been manageable thus far. On 26 April 2017 at 13:01, Roelof Du Toit <Roelof_Dutoit@symantec.com> wrote: > During interop testing with an open-source stack I ran into the following: > > CH ----> > > <---- SH,{EE,Cert,CV,Fin} > > alert ----> > > > > The alert was due to a decode error on CV, and the stack in question sent > the alert in a plaintext record. > > > > The current draft specification has the following text in section 6: > > "Like other messages, alert messages are encrypted as specified by the > current connection state." > > .. and the following in section 5.1: > > "Once record protection has started, TLSPlaintext records are protected" > > > > I expected the alert above to be sent in a ciphertext record, but I can also > see the client sending plaintext alerts for ServerHello decode failures. > > My conclusion is that the TLS 1.3 record layer on the server side should > support receiving both ciphertext and plaintext records after ServerHello > has been sent. > > > > One way for the server to handle the scenario above is to defer using > client_handshake_traffic_secret until the first app_data record is received. > That idea falls flat when the client is also sending early data and the > server wants to ignore the early data using trial decrypt with > client_handshake_traffic_secret: > > > > CH ----> > > (ed) -----X (discard) > > ...---- SH > > (ed) ----X (trial decrypt + discard) > > <---... > > alert ----> > > > > Another way this could work is if the server allows one (and only one) > plaintext record (with ContentType = alert) from the client during the > window where it has sent the SH,{EE,Cert,CV,Fin} sequence and is waiting for > the client's first encrypted handshake message. > > > > I would appreciate a recommendation in order to avoid future interop issues. > > > > --Roelof > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Alert after sending ServerHello Roelof Du Toit
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] Alert after sending ServerHello Benjamin Kaduk
- Re: [TLS] Alert after sending ServerHello Martin Rex
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Ilari Liusvaara
- Re: [TLS] [EXT] Re: Alert after sending ServerHel… Roelof Du Toit
- Re: [TLS] Alert after sending ServerHello Martin Thomson
- Re: [TLS] Alert after sending ServerHello Martin Thomson