From 629996a63ee2e859713ab40a80dce300f302b8b5 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 17 Sep 2019 14:25:39 +1000 Subject: [PATCH 1/4] Remove 'given' --- draft-ietf-quic-tls.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index b08700ce72..319a143058 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -404,12 +404,12 @@ A QUIC client starts TLS by requesting TLS handshake bytes from TLS. The client acquires handshake bytes before sending its first packet. A QUIC server starts the process by providing TLS with the client's handshake bytes. -At any given time, the TLS stack at an endpoint will have a current sending -encryption level and receiving encryption level. Each encryption level is -associated with a different flow of bytes, which is reliably transmitted to the -peer in CRYPTO frames. When TLS provides handshake bytes to be sent, they are -appended to the current flow and any packet that includes the CRYPTO frame is -protected using keys from the corresponding encryption level. +At any time, the TLS stack at an endpoint will have a current sending encryption +level and receiving encryption level. Each encryption level is associated with a +different flow of bytes, which is reliably transmitted to the peer in CRYPTO +frames. When TLS provides handshake bytes to be sent, they are appended to the +current flow and any packet that includes the CRYPTO frame is protected using +keys from the corresponding encryption level. QUIC takes the unprotected content of TLS handshake records as the content of CRYPTO frames. TLS record protection is not used by QUIC. QUIC assembles From 136cd0176ad9815a42f7ae6fb484956efcc74873 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 17 Sep 2019 14:26:04 +1000 Subject: [PATCH 2/4] QUIC only carries TLS handshake and alert --- draft-ietf-quic-tls.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 319a143058..e6a2fc3191 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -416,6 +416,11 @@ CRYPTO frames. TLS record protection is not used by QUIC. QUIC assembles CRYPTO frames into QUIC packets, which are protected using QUIC packet protection. +QUIC is only capable of conveying TLS handshake records in CRYPTO frames. TLS +alerts are turned into QUIC CONNECTION_CLOSE error codes; see {{tls-errors}}. +TLS application data and other message types cannot be carried by QUIC at any +encryption level and can be treated as an error if they are received. + When an endpoint receives a QUIC packet containing a CRYPTO frame from the network, it proceeds as follows: @@ -629,10 +634,6 @@ A client that wishes to send 0-RTT packets uses the "early_data" extension in the ClientHello message of a subsequent handshake (see Section 4.2.10 of {{!TLS13}}). It then sends the application data in 0-RTT packets. -Early data within the TLS connection MUST NOT be used. As it is for other TLS -application data, a server MUST treat receiving early data on the TLS connection -as a connection error of type PROTOCOL_VIOLATION. - ## Accepting and Rejecting 0-RTT From 3a813cdab5b53aeb5cbb3064f9046dcf6179eddd Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 17 Sep 2019 17:45:55 +1000 Subject: [PATCH 3/4] received from TLS --- draft-ietf-quic-tls.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index e6a2fc3191..cbe6e38ad7 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -419,7 +419,8 @@ protection. QUIC is only capable of conveying TLS handshake records in CRYPTO frames. TLS alerts are turned into QUIC CONNECTION_CLOSE error codes; see {{tls-errors}}. TLS application data and other message types cannot be carried by QUIC at any -encryption level and can be treated as an error if they are received. +encryption level and can be treated as an error if they are received from the +TLS stack. When an endpoint receives a QUIC packet containing a CRYPTO frame from the network, it proceeds as follows: From df5d9f102587b8fbcce1f3d815698774042bea26 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 18 Sep 2019 11:45:25 +1000 Subject: [PATCH 4/4] is an error --- draft-ietf-quic-tls.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index cbe6e38ad7..3069be0fb2 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -419,8 +419,7 @@ protection. QUIC is only capable of conveying TLS handshake records in CRYPTO frames. TLS alerts are turned into QUIC CONNECTION_CLOSE error codes; see {{tls-errors}}. TLS application data and other message types cannot be carried by QUIC at any -encryption level and can be treated as an error if they are received from the -TLS stack. +encryption level and is an error if they are received from the TLS stack. When an endpoint receives a QUIC packet containing a CRYPTO frame from the network, it proceeds as follows: