Re: [TLS] [certid] [secdir]
Martin Rex <mrex@sap.com> Wed, 22 September 2010 22:11 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 980DF3A6B4E for <tls@core3.amsl.com>; Wed, 22 Sep 2010 15:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.786
X-Spam-Level:
X-Spam-Status: No, score=-9.786 tagged_above=-999 required=5 tests=[AWL=0.463, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGnGt0v4h6hM for <tls@core3.amsl.com>; Wed, 22 Sep 2010 15:11:48 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 31B373A6B0A for <tls@ietf.org>; Wed, 22 Sep 2010 15:11:48 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o8MMBnV9000468 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 23 Sep 2010 00:11:49 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201009222211.o8MMBm2w008243@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 23 Sep 2010 00:11:48 +0200
In-Reply-To: <4C9A7330.3090001@extendedsubset.com> from "Marsh Ray" at Sep 22, 10 04:20:48 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: ark@eltex.net, barryleiba.mailing.lists@gmail.com, tls@ietf.org, jhutz@cmu.edu
Subject: Re: [TLS] [certid] [secdir]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 22:11:50 -0000
Marsh Ray wrote: > > On 09/22/2010 04:17 PM, Martin Rex wrote: > > I'm confused about the IE8 vs. IE9 behaviour that you report-- > > could it be that for your IE8 is running on a platform that > > does not implement TLS extensions (XP,2003) or has the > > TLSv1.x protocols disabled for some reason? > > Yep, svr2k3r2. > > The Qualys SSL Labs assessment tool doesn't send SNI so consequently it > gives all 'F's. > https://www.ssllabs.com/ssldb/analyze.html?d=gmail.com > > Gmail.com may be the first major site to depend on SNI for proper operation. > > So next time you hear someone saying they can't implement https because > their site can't get its own IP yet it's too important to rely on > extensions... If it was only about these two services hosted on a single TLS server, it would be trivial to fix by employing a single TLS server cert containing DNS-IDs for both hostnames. That would obviate the use of SNI. While it is helpful to have a publicly accessible server to test A clients SNI functionality, this should probably be done with a seperate test server and not a productive public system... :-] I'm really confused to see a company like google use TLS server certs that do not contain any DNS-IDs at all -- considering the proposals for TLS enhancements they have on the oven and are shipping in their software (e.g. Google Chrome). Is it that the particular CA they have chosen is unable or unwilling to issue state-of-the-art TLS server certs (i.e. certs with DNS-IDs)? -Martin
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [certid] [secdir] secdir review of draf… ArkanoiD
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Jeffrey A. Williams
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Nasko Oskov
- Re: [TLS] [certid] [secdir] secdir Martin Rex
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir Dr Stephen Henson
- Re: [TLS] [certid] [secdir] secdir review of draf… Steingruebl, Andy
- Re: [TLS] [certid] [secdir] Martin Rex
- Re: [TLS] secdir review of draft-saintandre-tls-s… Barry Leiba
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Barry Leiba
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Richard L. Barnes
- Re: [TLS] [secdir] secdir review of Martin Rex
- Re: [TLS] [secdir] secdir review of Robert Relyea
- Re: [TLS] [secdir] secdir review of draft-saintan… =JeffH
- Re: [TLS] [secdir] secdir review of Nicolas Williams