Adding close_notify to the spec ?

Scot gmi1 at scotdoyle.com
Wed Nov 11 12:55:20 GMT 2020

Previous message (by thread): Adding close_notify to the spec ?
Next message (by thread): Adding close_notify to the spec ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/10/20 8:39 PM, Michael Lazar wrote:
> On Sat, Nov 7, 2020 at 8:19 PM Scot <gmi1 at scotdoyle.com> wrote:
>
> Does anyone have any concerns about amending the spec to state that a TLS
> close_notify message should be sent before closing the TCP connection?
> While TLS guarantees the integrity of the data from the server, it does
> not guarantee completeness until a close_notify is received by the client.
> Interested and able clients could then determine that they received a
> complete response.
>
> The sending of close_notify is discussed in section 6.1 of RFC 8446 [1].
>
> This approach was previously discussed on the list by Michael Lazar and
> solderpunk [2] [3] and kooda [4].
>
> <snip>
>
> You can inspect the TLS messages received from any server, including
> the close_notify message, with the included Python script [6].
>
> 130 out of 208 servers listed on GUS [5] send the close_notify
> message before disconnecting.
> Thank you so much for this fantastic writeup! I agree with your conclusion
> that close_notify should be explicitly called out in the gemini spec,
> particularly in the transaction diagram under section 1.1.
>
> I don't fault server authors for not implementing this correctly. If anything,
> it just goes to show that TLS libraries are almost universally crappy and
> unintuitive. We can't expect newcomers to gemini, many of whom are writing
> their first server or trying out a new language, to know the inner workings of
> TLS.
I agree. Even Python's TLS library does not send it by default when
closing an SSLSocket connection. Maybe now that the TLS 1.3 spec allows
unidirectional close_notify the library situation will slowly improve.
>
> I took your code snippet and added to my gemini portal at https://portal.mozz.us
> Now anyone can view their TLS connection details, including if the `send_alert`
> message was sent, by clicking on the [view cert] link at the top of the page.
> Hopefully this helps out as a quick way to test connections.
https://portal.mozz.us looks useful. Of the five servers I tested there
our results match.
>
> - mozz

Previous message (by thread): Adding close_notify to the spec ?
Next message (by thread): Adding close_notify to the spec ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list