Re: Protocol: PDUs received during TLS closure

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:51 AM 3/9/2004, Hallvard B Furuseth wrote:
>Protocol-22 says:
>> 4.14.3. Closing a TLS Connection
>> 4.14.3.1. Graceful Closure
>
>>    The initiating protocol peer sends the TLS closure alert. If it
>>    wishes to leave the LDAP connection intact, it then MUST cease to
>>    send further PDUs and MUST ignore any received PDUs until it receives
>>    a TLS closure alert from the other peer.
>
>Why must the client ignore received PDUs?  It makes sense for servers,
>but clients could have use for them.  At least unsolicited
>notifications.

I don't think this is an TLS thing...  I think it's more of
an LDAP thing.

 From a server perspective, it trying to say (I think) that a
server initiating the closure should not attempt to continue
returning PDUs for an outstanding operation (or send any additional
notices), and ignore requests to start processing any new
operations until it receives the alert from the client.

And from a client perspective, it trying to say that clients
should not issue new operations until after it receives the
alert from the server.  The text does imply that the client
should ignore notices.  This seems somewhat odd.

I am also concerned that the text doesn't discuss cipher suite
changes, which need similar consideration.

>Is this some TLS thing, that the network data is unreliable until TLS
>closure is completed?  If so there should not be talk about PDUs at all,
>since any sent PDUs may be malformed.

Right, if it a TLS thing (which I don't think it is), it
should that further data arriving on the TLS connection is
to be ignored.

Kurt