Welcome! Log In Create A New Profile

Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown

Forum List Message List New Topic Print View

Judson Wilson

December 09, 2015 04:42PM

> > > As far as I understand, just looking for TCP FIN should be good
> > > enough for this task.
> >
> > TCP FIN can not be authenticated. A man in the middle can make one.
>
> The same is true for close_notify with your patch.

close_notify is encrypted using the current session state.
A MITM cannot spoof a close_notify if it does not have the keys.

> Just keeping in mind that no close_notify means that the
> response may be truncated should work. Note well that
> if it's client who closes the connection it's likely that the
> response is truncated (or the HTTP layer has enough
> information to check that it wasn't).

Sorry if this is incorrect, but isn't it easy to tell if a
response is truncated in HTTP/1.1 at the
HTTP protocol layer?

Again I want to reiterate that truncation is NOT my
concern (although I agree it IS important). My
setting involves releasing keys to a trusted monitor
with read-only privileges, on the client's behalf
(such as an exfiltration detector). The client needs
to protect the integrity of its session, and must
ensure that the key can not be used to masquerade
as the client to the server.

On Wed, Dec 9, 2015 at 5:34 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Tue, Dec 08, 2015 at 01:21:41PM -0800, Judson Wilson wrote:
>
> > > As far as I understand, just looking for TCP FIN should be good
> > > enough for this task.
> >
> > TCP FIN can not be authenticated. A man in the middle can make one.
>
> The same is true for close_notify with your patch. Just keeping
> in mind that no close_notify means that the response may be
> truncated should work. Note well that if it's client who closes
> the connection it's likely that the response is truncated (or the
> HTTP layer has enough information to check that it wasn't).
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Judson Wilson	724	December 05, 2015 02:20AM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Maxim Dounin	315	December 07, 2015 01:32PM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Judson Wilson	357	December 07, 2015 05:40PM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Maxim Dounin	238	December 08, 2015 08:16AM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Judson Wilson	255	December 08, 2015 04:24PM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Maxim Dounin	251	December 09, 2015 08:36AM
Re: [PATCH] SSL: shutdown cleanly when other endpoint starts shutdown	Judson Wilson	324	December 09, 2015 04:42PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 78

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018