Re: [TLS] Should we require implementations to send alerts?

On Friday 18 September 2015 15:13:37 Bill Frantz wrote: > On 9/18/15 at 4:27 AM, hka...@redhat.com (Hubert Kario) wrote: > >except that a TLS1.3 version intolerant implementation won't > >show its ugly head until TLS1.4 gets deployed > > Is there a reason a test suite can't offer TLS 1.4, even if

Re: [TLS] Should we require implementations to send alerts?

On Friday 18 September 2015 13:24:33 Brian Smith wrote: > On Fri, Sep 18, 2015 at 4:36 AM, Hubert Kario wrote: > > On Friday 18 September 2015 00:58:19 Martin Rex wrote: > > > Easier troubleshooting is IMO a sufficient rationale to justify > > > existence of the alert

Re: [TLS] Should we require implementations to send alerts?

On Wed, Sep 16, 2015 at 01:54:20PM +0200, Florian Weimer wrote: > On 09/16/2015 01:51 PM, Henrik Grubbström wrote: > > On Wed, Sep 16, 2015 at 12:02 PM, Florian Weimer wrote: > >> On 09/15/2015 06:29 PM, Nico Williams wrote: > > [...] > >>> > >>> But if you have a fatal error

Re: [TLS] Should we require implementations to send alerts?

On 09/16/2015 09:53 PM, Brian Smith wrote: > Assume the client and the server implement the mandatory-to-implement > parameters and that both the client and the server are otherwise > conformant. In this scenerio, when would an alert other than the non-fatal > close_notify be sent? I have been

Re: [TLS] Should we require implementations to send alerts?

On Wednesday 16 September 2015 12:53:53 Brian Smith wrote: > Thus, the empirical evidence from Mozilla's > widely-deployed implementation shows that (a) the requirement to send > alerts is difficult to conform to, and (b) it is unimportant in > practice to send alerts. and yet Firefox depends on

Re: [TLS] Should we require implementations to send alerts?

On Wed, Sep 16, 2015 at 12:53:53PM -0700, Brian Smith wrote: > Further, the alerting mechanism has encouraged the unsafe practice of > "version fallback." It is clear from looking at the bug databases of > Firefox and Chrome that their attempts to make security decisions based on > what alerts

Re: [TLS] Should we require implementations to send alerts?

On Sat, Sep 12, 2015 at 01:49:49PM -0700, Eric Rescorla wrote: > Issue: https://github.com/tlswg/tls13-spec/issues/242 > > In https://github.com/tlswg/tls13-spec/pull/231, Brian Smith argues: > > "Nobody must ever be *required* to send an alert. Any requirement for > sending an alert should be

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 3:00 PM, Nico Williams wrote: > On Sat, Sep 12, 2015 at 01:49:49PM -0700, Eric Rescorla wrote: > > Issue: https://github.com/tlswg/tls13-spec/issues/242 > > > > In https://github.com/tlswg/tls13-spec/pull/231, Brian Smith argues: > > > > "Nobody

Re: [TLS] Should we require implementations to send alerts?

(Resending from the right address, again. Possibly I should have subscribed with the other one...) On Thu, Sep 17, 2015 at 6:23 PM David Benjamin wrote: > On Thu, Sep 17, 2015 at 5:46 PM Brian Smith wrote: > >> On Thu, Sep 17, 2015 at 1:50 PM, Nico

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 3:15 PM, Dave Garrett wrote: > On Thursday, September 17, 2015 06:00:05 pm Brian Smith wrote: > > There's no evidence that the presence or absence of an alert when a > > connection is closed makes any positive difference in the security of any > >

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 03:00:05PM -0700, Brian Smith wrote: > On Thu, Sep 17, 2015 at 2:55 PM, Nico Williams > wrote: > > On Thu, Sep 17, 2015 at 05:47:50PM -0400, Dave Garrett wrote: > > > > Yes, exactly. Thanks. > > > > There's no evidence that the presence or absence

Re: [TLS] Should we require implementations to send alerts?

Martin Thomson wrote: > On 17 September 2015 at 14:46, Brian Smith wrote: > > Browser vendors, if web servers were to stop sending alerts during > handshake > > failures, would you start doing version fallback when a connection is > > closed? > >

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 1:50 PM, Nico Williams wrote: > On Wed, Sep 16, 2015 at 12:53:53PM -0700, Brian Smith wrote: > > Further, the alerting mechanism has encouraged the unsafe practice of > > "version fallback." It is clear from looking at the bug databases of > >

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 02:46:39PM -0700, Brian Smith wrote: > On Thu, Sep 17, 2015 at 1:50 PM, Nico Williams > wrote: > > Do we think that silent connection closings wouldn't also lead to > > version fallback? > > Let's ask the browser vendors: > > Browser vendors, if

Re: [TLS] Should we require implementations to send alerts?

On Thu, Sep 17, 2015 at 2:55 PM, Nico Williams wrote: > On Thu, Sep 17, 2015 at 05:47:50PM -0400, Dave Garrett wrote: > > On Thursday, September 17, 2015 03:27:10 pm Brian Smith wrote: > > > (We should focus on conformant implementations because non-conformant > > >

Re: [TLS] Should we require implementations to send alerts?

On Wed, Sep 16, 2015 at 12:02:57PM +0200, Florian Weimer wrote: > On 09/15/2015 06:29 PM, Nico Williams wrote: > > But if you have a fatal error you'll be closing immediately anyways. > > I'm trying to explain that any requirement to send fatal alerts will be > difficult to implement. With the

Re: [TLS] Should we require implementations to send alerts?

On Sat, 12 Sep 2015 13:49:49 -0700 Eric Rescorla wrote: > Issue: https://github.com/tlswg/tls13-spec/issues/242 > > In https://github.com/tlswg/tls13-spec/pull/231, Brian Smith argues: > > "Nobody must ever be *required* to send an alert. Any requirement for > sending an alert

Re: [TLS] Should we require implementations to send alerts?

: [TLS] Should we require implementations to send alerts? On Saturday, September 12, 2015 05:55:41 pm Salz, Rich wrote: > > > After all, what are you going to do when the connection drops > > > without a GOAWAY? Drop the connection? > > > > Try again, assuming the probl

Re: [TLS] Should we require implementations to send alerts?

> > After all, what are you going to do when the connection drops without > > a GOAWAY? Drop the connection? > > Try again, assuming the problem is a one-time glitch? That's important. Without the alert, you might just try again. And again. And again.. ..

Re: [TLS] Should we require implementations to send alerts?

On Sat, Sep 12, 2015 at 2:13 PM, Martin Thomson wrote: > On 12 September 2015 at 13:49, Eric Rescorla wrote: > > "Nobody must ever be required to send an alert. Any requirement for > sending > > an alert should be SHOULD, at most." > > This was a point

Re: [TLS] Should we require implementations to send alerts?

Martin Thomson writes: > On 12 September 2015 at 13:49, Eric Rescorla wrote: > > "Nobody must ever be required to send an alert. Any requirement for sending > > an alert should be SHOULD, at most." > > This was a point of debate for HTTP/2 as well. The

Re: [TLS] Should we require implementations to send alerts?

This seems like the right set of options... On 12 September 2015 at 14:26, Eric Rescorla wrote: > 1. Require termination and say nothing else I think the mere existence of alerts suggests that this isn't really a good option. > 2. Require termination and suggest an alert. > 3.

Re: [TLS] Should we require implementations to send alerts?

On Sat, Sep 12, 2015 at 3:18 PM, Viktor Dukhovni wrote: > On Sat, Sep 12, 2015 at 01:49:49PM -0700, Eric Rescorla wrote: > > > "Nobody must ever be *required* to send an alert. Any requirement for > > sending an alert should be SHOULD, at most." > To be clear, you're

Re: [TLS] Should we require implementations to send alerts?

On Sat, Sep 12, 2015 at 01:49:49PM -0700, Eric Rescorla wrote: > "Nobody must ever be *required* to send an alert. Any requirement for > sending an alert should be SHOULD, at most." Interoperability problems are hard enough to debug even when alerts are sent, and they are *very* useful. If the