Hubert Kairo found quite a few more spots in need of explicit error
designations, which have been amended into PR #201.
https://github.com/tlswg/tls13-spec/pull/201
I just noticed one error in the current draft text that was wrong and added a
fix for that as well. The Server Hello section said that lack of acceptable
group would result in an "insufficient_security" error, which is incorrect.
That error is clearly defined to be for lack of acceptable cipher suite. The
Negotiated Groups section says lack of acceptable group is a
“handshake_failure” error. I changed the text to state the error for suites, as
the other is already noted elsewhere. (this change is now in PR #201) This
brings up a problem, however: there is no distinct error for lack of group
support. The “handshake_failure” is a bit of a catchall, so there's no way for
a client to really know what's wrong if this happens. This is also why I don't
want to change the definition of the "insufficient_security" error. Clients
rely on these being relatively precise in order to show error messages that are
hopefully meaningful enough to get them fixed. As such, I'd like to propose
adding a new error just for this and renaming the old one to focus precisely on
its long defined meaning. While we're at it, a failure of client authentication
doesn't have its own error alert code either.
enum {
handshake_failure(40),
unsupported_cipher_suites(71), /* formerly insufficient_security */
unsupported_dh_groups(72), /* new */
client_authentication_failure(73), /* new */
(255)
} AlertDescription;
Pretty straightforward. Are there any other errors that can't be clearly
identified by the returned code? Debugging shouldn't be guesswork. ;)
Dave
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
