Re: [TLS] Tr: Behaviour when TLS fails

To: Julien ÉLIE <julien at trigofacile.com>
Subject: Re: [TLS] Tr: Behaviour when TLS fails
From: Eric Rescorla <ekr at networkresonance.com>
Date: Thu, 25 Sep 2008 09:27:28 -0700
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <EED13F85BDFC46D0AA43656FC05ABF3B at Iulius>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <EED13F85BDFC46D0AA43656FC05ABF3B at Iulius>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Thu, 25 Sep 2008 08:26:02 +0200,
Julien ÉLIE wrote:
> 
> Hi,
> 
> Would it be possible to have some more information about how to behave when
> a TLS negotiation fails?
> 
> In RFC 4642 on TLS with NNTP, it is written:
> 
>     Upon receiving a 382 response to a STARTTLS command, the client MUST
>     start the TLS negotiation before giving any other NNTP commands.  The
>     TLS negotiation begins for both the client and server with the first
>     octet following the CRLF of the 382 response.  If, after having
>     issued the STARTTLS command, the client finds out that some failure
>     prevents it from actually starting a TLS handshake, then it SHOULD
>     immediately close the connection.
> 
>     [...]
> 
>     If the TLS negotiation fails, both client and server SHOULD
>     immediately close the connection.  Note that while continuing the
>     NNTP session is theoretically possible, in practice a TLS negotiation
>     failure often leaves the session in an indeterminate state;
>     therefore, interoperability can not be guaranteed.
> 
> But we do not know whether the "SHOULD immediately close the connection"
> is in fact a MUST.
> 
> You can see a current discussion about that here:
>     http://groups.google.fr/group/news.software.nntp/browse_frm/thread/aa305c96999afbcf
> 
> 
> Some excerpts below.
> 
> Thanks beforehand for your answer (please CC: me as I am not subscribed
> to the list).

TLS doesn't have any opinion about what you do with the underlying 
transport. So, as far as TLS is concerned, the underlying transport
(TCP) could stay open and you could try to negotiate NNTP on it.
It might even work. It's recommended not for the reasons noted
above. I wouldn't have a problem with 4462 saying MUST, but
I don't think it's required by the logic of TLS.

-Ekr
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Tr: Behaviour when TLS fails
  - From: Julien ÉLIE

Prev by Date: Re: [TLS] Tr: Behaviour when TLS fails
Next by Date: [TLS] Fwd: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC
Previous by thread: Re: [TLS] Tr: Behaviour when TLS fails
Next by thread: [TLS] Fwd: Last Call: draft-rescorla-tls-suiteb (Suite B Cipher Suites for TLS) to Informational RFC
Index(es):
- Date
- Thread

Re: [TLS] Tr: Behaviour when TLS fails

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.