From b41c848f281bda976192136c6281185808c5e021 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 28 Apr 2020 14:41:54 +1000 Subject: [PATCH 1/2] Define the use of generic TLS alerts This was already permitted by the transport document, but it was not adequately explained. The example that tripped us up was ALPN, which has received a bit of attention here. Closes #3580. --- draft-ietf-quic-tls.md | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 7304b5f9f2..0c7685dd81 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -740,19 +740,25 @@ QUIC implementations SHOULD instead use the Retry feature (see Section 8.1 of {{QUIC-TRANSPORT}}). HelloRetryRequest is still used to request key shares. -## TLS Errors +## TLS Errors {#tls-errors} If TLS experiences an error, it generates an appropriate alert as defined in Section 6 of {{!TLS13}}. -A TLS alert is turned into a QUIC connection error by converting the one-byte -alert description into a QUIC error code. The alert description is added to -0x100 to produce a QUIC error code from the range reserved for CRYPTO_ERROR. -The resulting value is sent in a QUIC CONNECTION_CLOSE frame of type 0x1c. +A TLS alert is converted into a QUIC connection error. The alert description is +added to 0x100 to produce a QUIC error code from the range reserved for +CRYPTO_ERROR. The resulting value is sent in a QUIC CONNECTION_CLOSE frame of +type 0x1c. The alert level of all TLS alerts is "fatal"; a TLS stack MUST NOT generate alerts at the "warning" level. +QUIC permits the use of a generic code in place of a specific error code; see +Section 11 of {{QUIC-TRANSPORT}}. For TLS alerts, this includes replacing any +alert with a generic alert, such as handshake_failure (0x128 in QUIC). +Endpoints might use a generic error code to avoid possibly exposing +confidential information. + ## Discarding Unused Keys @@ -1567,12 +1573,13 @@ QUIC requires that the cryptographic handshake provide authenticated protocol negotiation. TLS uses Application Layer Protocol Negotiation (ALPN) {{!ALPN=RFC7301}} to select an application protocol. Unless another mechanism is used for agreeing on an application protocol, endpoints MUST use ALPN for -this purpose. When using ALPN, endpoints MUST immediately close a connection -(see Section 10.3 in {{QUIC-TRANSPORT}}) if an application protocol is not -negotiated with a no_application_protocol TLS alert (QUIC error code 0x178, see -{{tls-errors}}). While {{!ALPN}} only specifies that servers use this alert, -QUIC clients MUST also use it to terminate a connection when ALPN negotiation -fails. +this purpose. + +When using ALPN, endpoints MUST immediately close a connection (see Section +10.3 of {{QUIC-TRANSPORT}}) if an application protocol is not negotiated with a +no_application_protocol TLS alert (QUIC error code 0x178, see {{tls-errors}}). +While {{!ALPN}} only specifies that servers use this alert, QUIC clients MUST +use error 0x178 to terminate a connection when ALPN negotiation fails. An application protocol MAY restrict the QUIC versions that it can operate over. Servers MUST select an application protocol compatible with the QUIC version From 475242d0c9ca9e32113c90859748c7adf577fdfc Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 28 Apr 2020 21:16:40 +1000 Subject: [PATCH 2/2] Tweaks from review --- draft-ietf-quic-tls.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 0c7685dd81..170c9b2e65 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -756,8 +756,8 @@ alerts at the "warning" level. QUIC permits the use of a generic code in place of a specific error code; see Section 11 of {{QUIC-TRANSPORT}}. For TLS alerts, this includes replacing any alert with a generic alert, such as handshake_failure (0x128 in QUIC). -Endpoints might use a generic error code to avoid possibly exposing -confidential information. +Endpoints MAY use a generic error code to avoid possibly exposing confidential +information. ## Discarding Unused Keys @@ -1576,8 +1576,8 @@ is used for agreeing on an application protocol, endpoints MUST use ALPN for this purpose. When using ALPN, endpoints MUST immediately close a connection (see Section -10.3 of {{QUIC-TRANSPORT}}) if an application protocol is not negotiated with a -no_application_protocol TLS alert (QUIC error code 0x178, see {{tls-errors}}). +10.3 of {{QUIC-TRANSPORT}}) with a no_application_protocol TLS alert (QUIC error +code 0x178; see {{tls-errors}}) if an application protocol is not negotiated. While {{!ALPN}} only specifies that servers use this alert, QUIC clients MUST use error 0x178 to terminate a connection when ALPN negotiation fails.