[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Protocol: PDUs received during TLS closure
- To: ietf-ldapbis@OpenLDAP.org
- Subject: Re: Protocol: PDUs received during TLS closure
- From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Date: Mon, 7 Mar 2005 19:10:56 +0100
- In-reply-to: <6.0.1.1.0.20040310123746.051a8bf0@127.0.0.1>
- References: <HBF.20040309t6y0@bombur.uio.no> <6.0.1.1.0.20040310123746.051a8bf0@127.0.0.1>
The 'Outstanding operations after TLS closure/renegotiation'
thread reminded me of a brief unresolved thread:
http://www.openldap.org/lists/ietf-ldapbis/200403/msg00066.html
At 10 Mar 2004, Kurt D. Zeilenga wrote:
>At 05:51 AM 3/9/2004, Hallvard B Furuseth wrote:
>>Protocol-22 says:
>>> 4.14.3. Closing a TLS Connection
>>> 4.14.3.1. Graceful Closure
>>
>>> The initiating protocol peer sends the TLS closure alert. If it
>>> wishes to leave the LDAP connection intact, it then MUST cease to
>>> send further PDUs and MUST ignore any received PDUs until it receives
>>> a TLS closure alert from the other peer.
>>
>> Why must the client ignore received PDUs? It makes sense for servers,
>> but clients could have use for them. At least unsolicited
>> notifications.
>
> I don't think this is an TLS thing... I think it's more of
> an LDAP thing.
>
> From a server perspective, it trying to say (I think) that a
> server initiating the closure should not attempt to continue
> returning PDUs for an outstanding operation (or send any additional
> notices), and ignore requests to start processing any new
> operations until it receives the alert from the client.
>
> And from a client perspective, it trying to say that clients
> should not issue new operations until after it receives the
> alert from the server. The text does imply that the client
> should ignore notices. This seems somewhat odd.
>
> I am also concerned that the text doesn't discuss cipher suite
> changes, which need similar consideration.
>
>>Is this some TLS thing, that the network data is unreliable until TLS
>>closure is completed? If so there should not be talk about PDUs at all,
>>since any sent PDUs may be malformed.
>
> Right, if it a TLS thing (which I don't think it is), it
> should that further data arriving on the TLS connection is
> to be ignored.
--
Hallvard