IETF Logo Mail Archive

Re: [TLS] Cipher suite values to indicate TLS capability

Wan-Teh Chang <wtc@google.com> Wed, 06 June 2012 01:18 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D13C821F857A for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 18:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0TGi77s1cIH6 for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 18:18:39 -0700 (PDT)
Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3BE2321F856F for <tls@ietf.org>; Tue, 5 Jun 2012 18:18:39 -0700 (PDT)
Received: by ggnc4 with SMTP id c4so5060795ggn.31 for <tls@ietf.org>; Tue, 05 Jun 2012 18:18:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=CS6AAeruK/rTCP+WJaYS6unJ29cDgki5V1zH7vGZ3Zc=; b=YyYdkS4tN21vH4JToLmfKreS6iGhgzmKTmZjJXuec3IGVcOeDCBbsIKVAkJu+Jk4DG cWfJQ/nCwVglcBQiTlIa4Ql0L/DMlQhN1nmLQyeUpEPC27Kq9INozvq7kiW2dFDaM6FH kykb9Yo7G8AO7W6/WkkkZouQBlsGnt/0pPHzxkKlTcinCm+2l68HgNPaPBu2s+BxyG2g 863H3C6AJpGzNHfAG7EIhj8TNRgOUa45K15CzEsrD9dEuKSyLqHCkR7sL3AG4Xhc2aeD kux6z74gP+hDgzVa9zzezBxaM6BCWDYKMMhuJso6aE3XiNq3/363Aj4OISvMaOW7BfwZ DDpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=CS6AAeruK/rTCP+WJaYS6unJ29cDgki5V1zH7vGZ3Zc=; b=kJUgptMjBSl7Shj/iUSEGLlrhiOsIDWiScnMYxuWYYm+XQHB5AjQAzpgyGrbS7KKjn TX3dITZLexwVDbhLz0AXanf/rKXUu7flr8tc83/z6vBwy0SncxcuIdDp2+Nu8zHmd1c5 i45yAF4yp0saO7kfyoJPSyaqwLY0Gss0eko7BABdCWlXXo5tLQ9PjpOFihahZSUKHwoh z4A+MDEvOAPr2R66hDxV2KLkZsMf7dLgY9BV+2Tg4z/yw+JCBegeH0AItMOAgNbgIyxR aKT5MWFnY1u6ki3Ebbr9nZ/gHHAz79qgFNXPr8WQJHTxbpdOl1Nx6xU/Z1F4tY1FRkxj EWSQ==
Received: by 10.50.189.134 with SMTP id gi6mr5031590igc.55.1338945518410; Tue, 05 Jun 2012 18:18:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.189.134 with SMTP id gi6mr5031583igc.55.1338945518248; Tue, 05 Jun 2012 18:18:38 -0700 (PDT)
Received: by 10.231.245.74 with HTTP; Tue, 5 Jun 2012 18:18:38 -0700 (PDT)
In-Reply-To: <CAL9PXLy_Lr+-ehOKSddtooVBpgUzxCyLKhWghC7UtOAt3HH2Rw@mail.gmail.com>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <m2sje9xsc0.fsf@localhost.localdomain> <CAL9PXLy_Lr+-ehOKSddtooVBpgUzxCyLKhWghC7UtOAt3HH2Rw@mail.gmail.com>
Date: Tue, 05 Jun 2012 18:18:38 -0700
Message-ID: <CALTJjxEo88UzLp+o9dFM=aU-eunobwUmXx1mkGR3sbvL0jJE3A@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQm+EyJ5WoRHfZKI25pHwkjedDaUruEwszHUlAOBJxGpJqt6lxgCdQGQt7tqOKv9uLbh3ZiBguNn4QZu00KcXaiiRiWXg15357qrwsCzD3j6kiKRwgdDH4KjpgDfGaal89EC4oh+
Cc: Geoffrey Keating <geoffk@geoffk.org>, tls@ietf.org
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 01:18:40 -0000

ECDHE is not the only feature we lose when downgrading to SSLv3. We
also lost all the features implemented using TLS extensions, such as
server name indication, OCSP stapling, and the ability to negotiate
SPDY.

It would be nice if the server could indicate support of TLS in a less
destructive way than rejecting the handshake.  Perhaps a new alert
message at the warning level?

As for TLS_1_1_CAPABLE_SCSV and TLS_1_2_CAPABLE_SCSV, it seems that
TLS_1_2_CAPABLE_SCSV could be useful because TLS 1.2 is important to
the people who want to avoid SHA-1 and MD5 or comply with NSA Suite B.

Wan-Teh

v2.23.0 | Report a Bug | By Email