[TLS] Post-handshake Finished when rejecting a CertificateRequest

[Martin Thomson]

https://github.com/tlswg/tls13-spec/issues/572

Discuss.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[Raja ashok]

Hi Benjamin,

I have gone through the GREASE mechanism which you proposed in your new draft. 
It’s really a nice idea for finding a buggy server before it thrives.

I am having few doubts on this, which are listed below.

a)  What should be the behaviour of client incase if a buggy server 
responded for a GREASE value ?

-  Consider a client sends a GREASE cipher value at first place and 
followed by valid cipher suites, in its client hello.

-  If a buggy server selects that cipher then it will response server 
hello with that GREASE cipher value. At this case if client sends FATAL alert 
then both side TLS and TCP needs to be closed and client needs to recreate a 
new TCP connection, and then restart TLS handshake without GREASE cipher value.

-  Instead of this we can make client to send warning alert (with new 
TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS handshake by 
sending client hello again.

-  If a server receives this new warning, then it should be ready to 
receive new client hello to restart handshake.



SERVER  
   CLIENT

CH (GREASE Cipher value & Valid Cipher value)  -->


<---  SH (GREASE cipher value)

Fatal alert>

TCP (SYN)>




CH (Valid cipher value) 
 --->

Scenario 1 : Sending FATAL alert for server selecting 
GREASE value



SERVER  
   CLIENT

CH (GREASE Cipher value & Valid Cipher value)  --->


<---  SH (GREASE cipher value)

Warning alert >

CH (Valid cipher value) 
 --->

Scenario 2 : Sending WARNING alert for server selecting 
GREASE value



-  I hope sending warning msg and restarting TLS handshake will be 
efficient.

-  TLS Server must notify the application, whenever it receives a 
GREASE warning alert.



b)  Why only few values are specified as GREASE value ? Basically all value 
which are not specified by IANA should be considered as GREASE value right ?

-  Basically client should maintain the list of values (cipher suite, 
extensions) specified by IANA. The range of values.

-  For example IANA specified cipher suite values are {{0x,0x005C}, 
{0x0060,0x006D}, {0x0084, 0x00C5}, {0x00FF, 0x00FF} ….. }. This should be 
maintained in client.

-  We should make the client to choose a random value which are not in 
this supported value list. That cipher value should be considered as GREASE 
value and need to keep in first place of its cipher list.

-  If its selected by a buggy server, then client should behave as 
mentioned in above scenario 2.

-  Even in future if IANA provides new values to new cipher, then this 
list also should be updated. Consider in this case server is supporting that 
new cipher and client is not aware about it, so client can propose that value 
as GREASE value, then still connection will work with the 2nd handshake.

-  I am not understanding why we are planning to maintain a few set of 
GREASE values {0x0A0A, 0x1A1A …. }. If I am missing something, please clarify 
me.

Regards,
R Ashok


Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]

Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com

本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
This e-mail and its attachments contain confidential information from HUAWEI, 
which
is intended only for the person or entity whose address is listed above. Any 
use of the
information contained herein in any way (including, but not limited to, total 
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify 
the sender by
phone or email immediately and delete it!
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of David Benjamin
Sent: 26 July 2016 04:02
To: tls@ietf.org
Subject: [TLS] Keeping TLS extension points working

Hi folks,

I'm not sure how this process usually works, but I would like to reserve a 
bunch of values in the T