search

tlswg / tls13-spec

TLS 1.3 Specification
563 stars 159 forks source link

Contradition around user_cancelled #1208

Closed ekr closed 2 years ago

ekr commented 3 years ago

John Mattsson writes:

I think Section 6.1 Closure Alerts is a bit unclear:

First it is stated the user_canceled SHOULD be followed by close_notify

"This alert SHOULD be followed by a "close_notify"."

Then it is stated that it MUST be followed by close_notify

"Each party MUST send a "close_notify" alert before closing its write side of the connection, unless it has already sent some error alert."

And in the same section is is stated that any data folloing user_canceled MUST be ignored.

"Any data received after a closure alert has been received MUST be ignored."

This seems quite contradicting to me. I don't know what the correct behavior would be, but unless I misunderstood something, it looks like it should be addressed in rfc8446bis.

I think this is a remnant of when we transitioned alerts to error by default.

davidben commented 3 years ago

We ended up having to ignore user_cancelled alerts as if they were warning alerts (despite warning alerts being nominally removed) because JDK in TLS 1.3 sometimes sends them right before close_notify. I forget the details now, but I think it was some ad-hoc signaling of full-duplex vs. unidirectional close?

(I think NSS and OpenSSL also ignore them, though it looked like that was less in reaction to someone sending them and more a holdover from warning alert handling.)

martinthomson commented 3 years ago

Going on memory only, I believe that we did treat them as fatal for some time, but were forced to remove that for compatibility reasons similar to the ones that @davidben talks about.

ekr commented 3 years ago

@davidben So are you saying that JDK just sends them at some inappropriate point rather than in the handshake?

ekr commented 3 years ago

Following up, what if we were to just treat this as an alias for close_notify?

davidben commented 3 years ago

IIRC, they send user_cancelled followed by close_notify, as a non-standard signal to JDKs on the other side to do bidirectional close instead of unidirectional close? But I could be misremembering.

I think that means ignoring it is probably the right plan.

chris-wood commented 3 years ago

Discussed in 110: Preference is to ignore this.