[gnutls-devel] GnuTLS | Fail to retrieve directory listing connecting TLS 1.3 protocol (#1451)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Feb 4 11:43:59 CET 2023

Tim Kosse commented:

TLS 1.3 has changed how close_notify works, now allowing half-closed connections that are only closed in one direction, whereas previously the recipient of close_notify had to immediately reply with a close_notify on its own resulting in a duplex close.

As existing applications might rely on the previous behavior, the OpenJDK developers try to emulate the previous behavior in TLS 1.3 through use of the user_canceled alert, intending to force a duplex close in TLS 1.3

This non-standard use of user_canceled by OpenJDK as part of the normal connection shutdown obviously causes compatibility issues, depending on how other TLS libraries and the applications using them process and react to alerts. In particular, RFC 8446 explicitly states that post-handshake, user_canceled can be used "If a user cancels an operation", which is clearly at odds with OpenJDK's use of the alert.

I only see one viable solution: OpenJDK needs to get rid of the user_canceled workaround entirely. If TLS 1.3 breaking existing applications expecting TLS 1.2 behavior wrt. close_notify is a major concern, they could for example make TLS 1.3 an opt-in feature instead.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1451#note_1265730817
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230204/27305935/attachment.html>

More information about the Gnutls-devel mailing list