errata logo graphic

Found 4 records.

Status: Verified (2)

RFC4346, "The Transport Layer Security (TLS) Protocol Version 1.1", April 2006

Note: This RFC has been obsoleted by RFC5246

Source of RFC: tls (sec)

Errata ID: 1075

Status: Verified
Type: Technical

Reported By: Eric Rescorla
Date Reported: 2006-02-26

Section 4.7 says:

PKCS #1 block type 0 or type 1, as described in [PKCS1A].

It should say:

PKCS #1 block type 1, as described in [PKCS1A].

Errata ID: 1896

Status: Verified
Type: Technical

Reported By: Alfred Hoenes
Date Reported: 2006-05-29
Verifier Name: Pasi Eronen
Date Verified: 2009-10-14

Section 7.2.2 says:

   decryption_failed
      This alert MAY be returned if a TLSCiphertext decrypted in an
      invalid way: either it wasn't an even multiple of the block
      length, or its padding values, when checked, weren't correct.
      This message is always fatal.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may permit certain attacks against CBC mode as used in
         TLS [CBCATT].  It is preferable to uniformly use the
         bad_record_mac alert to hide the specific type of the error.

It should say:

   decryption_failed
      This alert was used in TLS version 1.0, and MUST NOT be sent in
      TLS 1.1.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may have permitted certain attacks against CBC mode 
         as used in TLS 1.0 [CBCATT].  It is preferable to uniformly 
         use the bad_record_mac alert to hide the specific type of 
         the error.

Notes:

(split off from Errata ID 117 )

The original text contradicted the text for bad_record_mac
("This alert also MUST be returned if an alert is sent because
a TLSCiphertext decrypted in an invalid way").


Status: Held for Document Update (2)

RFC4346, "The Transport Layer Security (TLS) Protocol Version 1.1", April 2006

Note: This RFC has been obsoleted by RFC5246

Source of RFC: tls (sec)

Errata ID: 116

Status: Held for Document Update
Type: Editorial

Reported By: David Hopwood
Date Reported: 2006-05-11
Held for Document Update by: Pasi Eronen
Report Text:

Following references should all be to Section 12:

Section 6:
# See Section 11 for IANA Considerations for ContentType values.

Section 7.2.2:
# See Section 11 for IANA Considerations for alert values.

Section 7.4:
# See Section 11 for IANA Considerations for these values.

Section 7.4.4:
# Additional information describing the role of IANA in the allocation
# of ClientCertificateType code points is described in Section 11.

from pending

Errata ID: 117

Status: Held for Document Update
Type: Editorial

Reported By: Alfred Hoenes
Date Reported: 2006-05-29
Held for Document Update by: Pasi Eronen
Date Held: 2009-09-25

 

(C2)  imprecise data description for `ciphersuites`

Section 7.4.1.2, on page 37 defines the syntax:

      uint8 CipherSuite[2];    /* Cryptographic suite selector */

According to the specifications given in Section 4.3, vectors
of type CipherSuite strictly must have byte lengths being a
multiple of 2.
This also means that the upper bound for a varaiable-length array
of type CipherSuite should always be a multiple of 2.
Hence, the declaration in Section 7.4.1.2, on top of page 38,

      struct {
          ProtocolVersion client_version;
          Random random;
          SessionID session_id;
          CipherSuite cipher_suites<2..2^16-1>;
          CompressionMethod compression_methods<1..2^8-1>;
      } ClientHello;

should better say:

      struct {
          ProtocolVersion client_version;
          Random random;
          SessionID session_id;
|         CipherSuite cipher_suites<2..2^16-2>;
          CompressionMethod compression_methods<1..2^8-1>;
      } ClientHello;

This issue recurs in Appendix A.4.1 (2nd line from bottom of p.57)
and at various places in other TLS RFCs, in particular in RFC 4347
and RFC 4366 -- see my errata messages for these RFCs.

Historical Note:
  In SSL 2.0, the CipherSuite construct was 3 bytes long.
  Because 3 divides 2^16-1,  <3..2^16-1>  was an appropriate size
  range then.  The issue has been introduced with SSL 3.0.


(C3)  missing Reference

Appendix B, at the bottom of page 66, contains the Glossary item:

   RC2
      A block cipher developed by Ron Rivest at RSA Data Security, Inc.
      [RSADSI] described in [RC2].

There is no such Reference "[RSADSI]" in the Informative References
Section, on pp. 82 ff. -- apparently, it has been prematurely deleted
from RFC 2246.  Perhaps, nothing would be lost when replacing the
above Glossary item by:

   RC2
      A block cipher developed by Ron Rivest described in [RC2].


(C4)  Outdated Normative Reference

RFC 4346 has been jointly published with RFC 4366, which has
obsoleted RFC 3546.
Therefore, it would have been much more consistent to replace,
in the Normative References Section, on page 82, the entry:

   [TLSEXT]   Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
              Extensions", RFC 3546, June 2003.

by:

   [TLSEXT]   Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
|             Extensions", RFC 4366, April 2006.
                               ^^^^^^^^^^^^^^^^

(C5)  unexpected / inappropriate Reference

Page 83 contains the inappropriate Informative Reference:

   [TCP]      Hellstrom, G. and P. Jones, "RTP Payload for Text
              Conversation", RFC 4103, June 2005.

This clearly should be:

|  [TCP]      Postel, J., "Transmission Control Protocol", STD 7,
|             RFC 793, September 1981.

(Cf. the single citation to [TCP], in the first paragraph of Section 1,
on page 4.)


Simple textual issues (errata)
==============================

(E1)  typo

The second paragraph of Section 3 of RFC 4346, on page 6, says:

   This document is not intended to supply any details of service
   definition or of interface definition, although it does cover select
   areas of policy as they are required for the maintenance of solid
   security.

It should perhaps say:

   This document is not intended to supply any details of service
   definition or of interface definition, although it does cover
|  selected areas of policy as they are required for the maintenance of
   solid security.

(E2)  copy-and-paste error (?)

At the bottom of page 11, Section 4.7 of RFC 4346 says:

   In public key encryption, a public key algorithm is used to encrypt
   data in such a way that it can be decrypted only with the matching
   private key.  A public-key-encrypted element is encoded as an opaque
   vector <0..2^16-1>, where the length is specified by the signing
   algorithm and key.

It should say:

   In public key encryption, a public key algorithm is used to encrypt
   data in such a way that it can be decrypted only with the matching
   private key.  A public-key-encrypted element is encoded as an opaque
|  vector <0..2^16-1>, where the length is specified by the encrypting
   algorithm and key.
                                                            ^^^^^^^^^^

(E3)  typo

The beginning of the first paragraph of Section 6.1, on page 15,

   A TLS connection state is the operating environment of the TLS Record
   Protocol.  It specifies a compression algorithm, and encryption
   algorithm, and a MAC algorithm.  In addition, the parameters for

should say (replacing "and" by "an"):

   A TLS connection state is the operating environment of the TLS Record
|  Protocol.  It specifies a compression algorithm, an encryption
   algorithm, and a MAC algorithm.  In addition, the parameters for


(E4)  word twister

Near the bottom of page 15, Section 6.1 says:

   compression algorithm
      An algorithm to be used for data compression.  This specification
      must include all information the algorithm requires compression.

It should perhaps say:

   compression algorithm
      An algorithm to be used for data compression.  This specification
|     must include all information the compression algorithm requires.


(E5)  improper indentation

In Section 7.4.1.1, on page 36, a headline is indented too much;
the text,

         Structure of this message:

             struct { } HelloRequest;

   Note: This message MUST NOT be included ...

should say:

|  Structure of this message:

             struct { } HelloRequest;

   Note: This message MUST NOT be included ...


(E6)  improper line (un)folding and irregular indentation

In Section 7.4.1.2, at the bottom of page 36, the text,

      struct {
         uint32 gmt_unix_time;
         opaque random_bytes[28];
      } Random;

   gmt_unix_time The current time and date in standard UNIX 32-bit
      format (seconds since the midnight starting Jan 1, 1970, GMT,
      ignoring leap seconds) according to the sender's internal clock.
      Clocks are not required to be set correctly by the basic TLS
      Protocol; higher-level or application protocols may define
      additional requirements.

         random_bytes
             28 bytes generated by a secure random number generator.

following the layout style followed in the remainder of the document
should be formatted as:

      struct {
         uint32 gmt_unix_time;
         opaque random_bytes[28];
      } Random;

|  gmt_unix_time
|     The current time and date in standard UNIX 32-bit
      format (seconds since the midnight starting Jan 1, 1970, GMT,
      ignoring leap seconds) according to the sender's internal clock.
      Clocks are not required to be set correctly by the basic TLS
      Protocol; higher-level or application protocols may define
      additional requirements.

|  random_bytes
|     28 bytes generated by a secure random number generator.


(E7)  improper line (un)folding

The last paragraph of Section 7.4.1.3, on page 40,

   compression_method The single compression algorithm selected by the
      server from the list in ClientHello.compression_methods.  For
      resumed sessions this field is the value from the resumed session
      state.

consistently should be formatted as:

|  compression_method
|     The single compression algorithm selected by the server from the
      list in ClientHello.compression_methods.  For resumed sessions
      this field is the value from the resumed session state.


(E8)  improper line (un)folding and irregular indentation

In Section 7.4.7.1, on page 48, the clauses,

      client_version The latest (newest) version supported by the
         client.  This is used to detect version roll-back attacks.
         Upon receiving the premaster secret, the server SHOULD check
         that this value matches the value transmitted by the client in
         the client hello message.

      random
          46 securely-generated random bytes.

consistently should be formatted as:

|     client_version
|        The latest (newest) version supported by the client.  This is
         used to detect version roll-back attacks.  Upon receiving the
         premaster secret, the server SHOULD check that this value
         matches the value transmitted by the client in the client hello
         message.

      random
|        46 securely-generated random bytes.

and subsequently, the clause,

      pre_master_secret
          This random value is generated by the client and is used to
          generate the master secret, as specified in Section 8.1.

should be:

      pre_master_secret
|        This random value is generated by the client and is used to
|        generate the master secret, as specified in Section 8.1.


(E9)  spurious text line

During the removal of the "EXPORT" ciper suites from Appendix C,
a text line from RFC 2246 has been left there inadvertently.
The table, at the bottom of page 68,

      Key
      Exchange
      Algorithm     Description                        Key size limit

      DHE_DSS       Ephemeral DH with DSS signatures   None
      DHE_RSA       Ephemeral DH with RSA signatures   None
      DH_anon       Anonymous DH, no signatures        None
      DH_DSS        DH with DSS-based certificates     None
      DH_RSA        DH with RSA-based certificates     None
|                                                      RSA = none
      NULL          No key exchange                    N/A
      RSA           RSA key exchange                   None

should say:

      Key
      Exchange
      Algorithm     Description                        Key size limit

      DHE_DSS       Ephemeral DH with DSS signatures   None
      DHE_RSA       Ephemeral DH with RSA signatures   None
      DH_anon       Anonymous DH, no signatures        None
      DH_DSS        DH with DSS-based certificates     None
      DH_RSA        DH with RSA-based certificates     None
      NULL          No key exchange                    N/A
      RSA           RSA key exchange                   None


(E10) improper language

During the addition of the third protocol variant, text in Appendix E
has become improper, stiil talking about "both" versions.

The second paragraph of Appendix E, on page 71,

   TLS versions 1.1 and 1.0, and SSL 3.0 are very similar; thus,
   supporting both is easy.  TLS clients who wish [...]
              ^^^^
should say, e.g.:

   TLS versions 1.1 and 1.0, and SSL 3.0 are very similar; thus,
|  supporting all is easy.  TLS clients who wish [...]
              ^^^


(E11) improper line (un)folding

Appendix E.1, near the bottom on page 73, contains the clause:

   challenge The client challenge to the server for the server to
      identify itself is a (nearly) arbitrary-length random.  The TLS
      server will right-justify the challenge data to become the
      ClientHello.random data (padded with leading zeroes, if
      necessary), as specified in this protocol specification.  If the
      length of the challenge is greater than 32 bytes, only the last 32
      bytes are used.  It is legitimate (but not necessary) for a V3
      server to reject a V2 ClientHello that has fewer than 16 bytes of
      challenge data.

This should be formatted as:

|  challenge
|     The client challenge to the server for the server to identify
      itself is a (nearly) arbitrary-length random.  The TLS server will
      right-justify the challenge data to become the ClientHello.random
      data (padded with leading zeroes, if necessary), as specified in
      this protocol specification.  If the length of the challenge is
      greater than 32 bytes, only the last 32 bytes are used.  It is
      legitimate (but not necessary) for a V3 server to reject a V2
      ClientHello that has fewer than 16 bytes of challenge data.



(E12) punctuation issues in References

The following Normative Reference entries on page 81/82 contain
syntactically inconsistent punctuation.

   [AES]      National Institute of Standards and Technology,
              "Specification for the Advanced Encryption Standard (AES)"
              FIPS 197.  November 26, 2001.
should say:
   [AES]      National Institute of Standards and Technology,
              "Specification for the Advanced Encryption Standard
|             (AES)", FIPS 197.  November 26, 2001.
                    ^

   [3DES]     W. Tuchman, "Hellman Presents No Shortcut Solutions To
              DES," IEEE Spectrum, v. 16, n. 7, July 1979, pp. 40-41.
should say:
   [3DES]     W. Tuchman, "Hellman Presents No Shortcut Solutions To
|             DES", IEEE Spectrum, v. 16, n. 7, July 1979, pp. 40-41.
                 ^^

   [DES]      ANSI X3.106, "American National Standard for Information
              Systems-Data Link Encryption," American National Standards
              Institute, 1983.
should say:
   [DES]      ANSI X3.106, "American National Standard for Information
|             Systems-Data Link Encryption", American National Standards
              Institute, 1983.
                                          ^^

   [DSS]      NIST FIPS PUB 186-2, "Digital Signature Standard,"
              National Institute of Standards and Technology, U.S.
              Department of Commerce, 2000.
should say:                                                   vv
|  [DSS]      NIST FIPS PUB 186-2, "Digital Signature Standard",
              National Institute of Standards and Technology, U.S.
              Department of Commerce, 2000.


   [SHA]      NIST FIPS PUB 180-2, "Secure Hash Standard," National
              Institute of Standards and Technology, U.S. Department of
              Commerce., August 2001.
should say:                                             vv
|  [SHA]      NIST FIPS PUB 180-2, "Secure Hash Standard", National
              Institute of Standards and Technology, U.S. Department of
              Commerce., August 2001.


Similarly, the following Informative Reference entry on page 83,

   [RSA]      R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
              Obtaining Digital Signatures and Public-Key
              Cryptosystems," Communications of the ACM, v. 21, n. 2,
              Feb 1978, pp.  120-126.

should say:

   [RSA]      R. Rivest, A. Shamir, and L. M. Adleman, "A Method for
              Obtaining Digital Signatures and Public-Key
|             Cryptosystems", Communications of the ACM, v. 21, n. 2,
              Feb 1978, pp.  120-126.


(E13) mis-spelled author name in Informative Reference

The name of Alan O. Freier has been mis-spelled on page 83, in the
Informative Reference,

   [SSL3]     A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0
              Protocol", Netscape Communications Corp., Nov 18, 1996.

which should say:
                   vv
|  [SSL3]     A. Freier, P. Karlton, and P. Kocher, "The SSL 3.0
              Protocol", Netscape Communications Corp., Nov 18, 1996.

Notes:

(Item C1 split to separate Errata ID 1896)

All excerpts from the RFC text are taken keeping their original
formatting, and modified text is formatted in conformance with
RFC guidelines again.

I use change bars ('|' in column 1) and casual up/down pointing
tags ('^^^' / 'vvv' marks in extra lines) to emphasize the location
of textual issues and/or proposed textual enhancements/corrections.

from pending


Report New Errata