Re: [TLS] checking on an scsv point
Martin Thomson <martin.thomson@gmail.com> Wed, 18 February 2015 00:40 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77F3A1A8893 for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:40:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdN2mb-3fyQw for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:39:56 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FE5F1A898D for <tls@ietf.org>; Tue, 17 Feb 2015 16:39:55 -0800 (PST)
Received: by mail-ob0-f170.google.com with SMTP id va2so59594341obc.1 for <tls@ietf.org>; Tue, 17 Feb 2015 16:39:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tLm1dWrwYzghFuKO7mJMgg0SJSRvbNzVKViYSppgV/Q=; b=nngTTCA35ckIEJicB2NC879pW3hhmQLDcnsXLetvYJZzAG7PO1LzU3jYS/I2E2edBR /8HdBm+LBQZ9qho5UF2JLHHWoBXIfyk6x3QaoJJH/Za40OkabVQHsCGciBFdDediBBp4 /+PHf9/CpZrFpD4xaMMy35lQKC6VUz5RdtMHEeBRXvOLbZ9fqGgRSOZq/55OvQ+bEkjv KAcYP/klqGUZ0aOaNNFcNZtGT+s5tzCL/oGBSuOA77YFYTVVed7sXJR/Hm5T6aLxA+ux Mhef5HR64Jzx34rUBcb/6bYXI6dMh7VM/u84vo0IcLfyYcnb5UkE+Qx2Iyxvz1yxu4AS Dq/w==
MIME-Version: 1.0
X-Received: by 10.60.132.82 with SMTP id os18mr15885578oeb.0.1424219994443; Tue, 17 Feb 2015 16:39:54 -0800 (PST)
Received: by 10.202.225.135 with HTTP; Tue, 17 Feb 2015 16:39:54 -0800 (PST)
In-Reply-To: <20150218002804.C59951B1B1@ld9781.wdf.sap.corp>
References: <CABkgnnWywGzhpvN3-Brjt_DRYQSm7db7=v0wE0exNPaSNjqKpA@mail.gmail.com> <20150218002804.C59951B1B1@ld9781.wdf.sap.corp>
Date: Wed, 18 Feb 2015 11:39:54 +1100
Message-ID: <CABkgnnXRrh90zjoN9s=qjDXTD7byprfcHXF7AwmyEbxL9G99pQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0uBNwJfmdx5BIYWVvjOZ1QoQArg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:40:03 -0000
On 18 February 2015 at 11:28, Martin Rex <mrex@sap.com> wrote: > You mean that this client will fallback further _down_, rather than > upwards as the server suggests? Indeed. I expect that to be a common response. > I assume this is mostly because the App does the heuristics here > and has little information to do its heuristics (it probably doesn't > have the ServerHello to look at). But that should be an easy > fix to the app heuristics. I'm largely talking about apps that don't change here, because if they were to change, then I'd be arguing for disabling fallback. It's actually fairly easy to make the change, because the app is usually well aware of the fact that it is performing a fallback when it does. What is needed is a signal to the TLS stack that it should accept a higher version in the ServerHello.
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson