[TLS] Tr: Behaviour when TLS fails

To: <tls at ietf.org>
Subject: [TLS] Tr: Behaviour when TLS fails
From: Julien ÉLIE <julien at trigofacile.com>
Date: Thu, 25 Sep 2008 08:26:02 +0200
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Sender: tls-bounces at ietf.org

Hi,

Would it be possible to have some more information about how to behave when
a TLS negotiation fails?

In RFC 4642 on TLS with NNTP, it is written:

   Upon receiving a 382 response to a STARTTLS command, the client MUST
   start the TLS negotiation before giving any other NNTP commands.  The
   TLS negotiation begins for both the client and server with the first
   octet following the CRLF of the 382 response.  If, after having
   issued the STARTTLS command, the client finds out that some failure
   prevents it from actually starting a TLS handshake, then it SHOULD
   immediately close the connection.

   [...]

   If the TLS negotiation fails, both client and server SHOULD
   immediately close the connection.  Note that while continuing the
   NNTP session is theoretically possible, in practice a TLS negotiation
   failure often leaves the session in an indeterminate state;
   therefore, interoperability can not be guaranteed.

But we do not know whether the "SHOULD immediately close the connection"
is in fact a MUST.

You can see a current discussion about that here:
   http://groups.google.fr/group/news.software.nntp/browse_frm/thread/aa305c96999afbcf


Some excerpts below.

Thanks beforehand for your answer (please CC: me as I am not subscribed
to the list).

Julien

----- Message d'origine -----De : "Julien ÉLIE"

Groupes de discussion : news.software.nntp
Envoyé : mercredi 24 septembre 2008 19:39
Objet : Re: Behaviour when STARTTLS fails

After having carefully reviewed it, I think I cannot submit an errata
report for that because of the difference between fatal and warning
messages in RFC 5246.  Even though almost everything is fatal, I see
that one:

  user_canceled
     This handshake is being canceled for some reason unrelated to a
     protocol failure.  If the user cancels an operation after the
     handshake is complete, just closing the connection by sending a
     close_notify is more appropriate.  This alert should be followed
     by a close_notify.  This message is generally a warning.

And unfortunately, the connection MAY go on (even though it SHOULD be
closed).

----- Message d'origine -----De : "Julien ÉLIE"

Groupes de discussion : news.software.nntp
Envoyé : mercredi 24 septembre 2008 21:20
Objet : Re: Behaviour when STARTTLS fails

Hi Russ,

I was having a hard time understanding RFC 5246, but the impression that I
was getting was that once you start establishing STARTTLS, either you
finish or you fail;


I also admit it is not clear at all!

if you send a warning message instead of an error
message, that means you're going to finish successfully.


  If an alert with a level of warning is sent and received, generally
  the connection can continue normally.  If the receiving party decides
                 ^^^^^^^^^^^^^^^^^^^^^
  not to proceed with the connection (e.g., after having received a
  no_renegotiation alert that it is not willing to accept), it SHOULD
  send a fatal alert to terminate the connection.  Given this, the
  sending party cannot, in general, know how the receiving party will
  behave.  Therefore, warning alerts are not very useful when the
  sending party wants to continue the connection, and thus are
  sometimes omitted.  For example, if a peer decides to accept an
  ^^^^^^^^^^^^^^^^^
  expired certificate (perhaps after confirming this with the user) and
  wants to continue the connection, it would not generally send a
           ^^^^^^^^^^^^^^^^^^^^^^^
  certificate_expired alert.

I couldn't find any notion of an unsuccessful finish.


Fatal => close.
But with warnings, nothing very precise is said :-/

  One of the content types supported by the TLS record layer is the
  alert type.  Alert messages convey the severity of the message
  (warning or fatal) and a description of the alert.  Alert messages
  with a level of fatal result in the immediate termination of the
  connection.

...

--
Julien ÉLIE

« Tout homme devrait un jour se marier ;
 après tout, le bonheur n'est pas la seule chose dans la vie. »


_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Tr: Behaviour when TLS fails
  - From: Eric Rescorla
- Re: [TLS] Tr: Behaviour when TLS fails
  - From: Martin Rex

Prev by Date: Re: [TLS] New version of draft-ietf-tls-psk-new-mac-aes-gcm
Next by Date: Re: [TLS] Consensus call for certificate URL extension
Previous by thread: [TLS] New version of draft-ietf-tls-psk-new-mac-aes-gcm
Next by thread: Re: [TLS] Tr: Behaviour when TLS fails
Index(es):
- Date
- Thread

[TLS] Tr: Behaviour when TLS fails

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.