IETF Logo Mail Archive

Re: [TLS] [certid] [secdir]

Martin Rex <mrex@sap.com> Wed, 22 September 2010 22:11 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 980DF3A6B4E for <tls@core3.amsl.com>; Wed, 22 Sep 2010 15:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.786
X-Spam-Level:
X-Spam-Status: No, score=-9.786 tagged_above=-999 required=5 tests=[AWL=0.463, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGnGt0v4h6hM for <tls@core3.amsl.com>; Wed, 22 Sep 2010 15:11:48 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 31B373A6B0A for <tls@ietf.org>; Wed, 22 Sep 2010 15:11:48 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o8MMBnV9000468 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 23 Sep 2010 00:11:49 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201009222211.o8MMBm2w008243@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 23 Sep 2010 00:11:48 +0200
In-Reply-To: <4C9A7330.3090001@extendedsubset.com> from "Marsh Ray" at Sep 22, 10 04:20:48 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: ark@eltex.net, barryleiba.mailing.lists@gmail.com, tls@ietf.org, jhutz@cmu.edu
Subject: Re: [TLS] [certid] [secdir]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 22:11:50 -0000

Marsh Ray wrote:
> 
> On 09/22/2010 04:17 PM, Martin Rex wrote:
>  > I'm confused about the IE8 vs. IE9 behaviour that you report--
>  > could it be that for your IE8 is running on a platform that
>  > does not implement TLS extensions (XP,2003) or has the
>  > TLSv1.x protocols disabled for some reason?
> 
> Yep, svr2k3r2.
> 
> The Qualys SSL Labs assessment tool doesn't send SNI so consequently it 
> gives all 'F's.
> https://www.ssllabs.com/ssldb/analyze.html?d=gmail.com
> 
> Gmail.com may be the first major site to depend on SNI for proper operation.
> 
> So next time you hear someone saying they can't implement https because 
> their site can't get its own IP yet it's too important to rely on 
> extensions...

If it was only about these two services hosted on a single TLS server,
it would be trivial to fix by employing a single TLS server cert
containing DNS-IDs for both hostnames.  That would obviate the use
of SNI.  While it is helpful to have a publicly accessible server
to test A clients SNI functionality, this should probably be done
with a seperate test server and not a productive public system... :-]


I'm really confused to see a company like google use TLS server certs
that do not contain any DNS-IDs at all -- considering the
proposals for TLS enhancements they have on the oven and are
shipping in their software (e.g. Google Chrome).

Is it that the particular CA they have chosen is unable or unwilling
to issue state-of-the-art TLS server certs (i.e. certs with DNS-IDs)?
 

-Martin

v2.23.0 | Report a Bug | By Email