Re: [TLS] weird ECDSA interop problem with cloudflare/nginx
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 26 July 2016 11:28 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3575F12D548 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 04:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 818GFMBTF_YL for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 04:28:15 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49B4D12D6A8 for <tls@ietf.org>; Tue, 26 Jul 2016 04:28:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1469532494; x=1501068494; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=idS+Hxgo+7ULezqqZMaELpN9Ai6NFr5V0U6pdryw0a4=; b=M3FL/jyvX1Or4kCiOIB/+oQdjFiYX/WaXp57HX2mqUGOurNb8rIQxkwf f0Yt/l57FKmstO0RxDB/ZE+NW/cM9WXQKEpfXJ0AkvO+p8nNRrwY0eB/T g1eT9YlOg9I2IsNScCo0x8xbT7I47hrWZviNyA/Fzsk7xt0xVY9Qa48Vi 2dUWvakYtk4eDnA1Fr2rsf+h6gaobCOY1Uix+ie1mPjp5V/W7hBUmxYIn 4g4nk7xsJJD7WzVIJfuqm4dqsA2eblV7K9iOGcZFrmOhCB3rG5jdxFIYU Cdv2bZBFHHLKrPF9/o/gL6jW8aMJ5RWNR170dW7gOmbVWNvbQ9SXqqpXR g==;
X-IronPort-AV: E=Sophos;i="5.28,424,1464609600"; d="scan'208";a="98958095"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Jul 2016 23:28:06 +1200
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.93]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0266.001; Tue, 26 Jul 2016 23:28:06 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] weird ECDSA interop problem with cloudflare/nginx
Thread-Index: AQHR5qgCNz+FR8k/8Uif+jsgAebuiKAowWEAgAGVRQ7//2UFgIAA2HnA
Date: Tue, 26 Jul 2016 11:28:05 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4CD7DAB@uxcn10-5.UoA.auckland.ac.nz>
References: <20160725190849.728521A508@ld9781.wdf.sap.corp> <20160725193708.GA17319@LK-Perkele-V2.elisa-laajakaista.fi> <9A043F3CF02CD34C8E74AC1594475C73F4CD79E0@uxcn10-5.UoA.auckland.ac.nz>, <20160726103257.GA24563@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160726103257.GA24563@LK-Perkele-V2.elisa-laajakaista.fi>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.6.3.3]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5zZM0Lds5t_I-ZDUxRTw_5pJLMc>
Subject: Re: [TLS] weird ECDSA interop problem with cloudflare/nginx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 11:28:17 -0000
Since I've referred to TLS-LTS a couple of times now I should mention that I've just posted an update, with the following changes: - Clarified what happens during a session resumption. - Fixed the ServerKeyExchange text to indicate what happens when the hash isn't the default SHA-256. Is the resulting text comprehensible? That is, does it make clear what's signed, and with what hash? - Added an alternative, quicker way to verify domain parameters that doesn't require the full FIPS 186 checks. - Reworked the text about the handling of extensions yet again. I'm still not happy with this, or certain that it's sufficiently unambiguous, can people see if they can pick holes in it? - Reworked the rationale. Peter.
- Re: [TLS] weird ECDSA interop problem with cloudf… Benjamin Kaduk
- Re: [TLS] weird ECDSA interop problem with cloudf… Viktor Dukhovni
- Re: [TLS] weird ECDSA interop problem with cloudf… Ilari Liusvaara
- Re: [TLS] weird ECDSA interop problem with cloudf… Martin Rex
- Re: [TLS] weird ECDSA interop problem with cloudf… Ilari Liusvaara
- Re: [TLS] weird ECDSA interop problem with cloudf… Viktor Dukhovni
- Re: [TLS] weird ECDSA interop problem with cloudf… Viktor Dukhovni
- Re: [TLS] weird ECDSA interop problem with cloudf… Ilari Liusvaara
- [TLS] weird ECDSA interop problem with cloudflare… Martin Rex
- Re: [TLS] weird ECDSA interop problem with cloudf… Hubert Kario
- Re: [TLS] weird ECDSA interop problem with cloudf… Hubert Kario
- Re: [TLS] weird ECDSA interop problem with cloudf… Peter Gutmann
- Re: [TLS] weird ECDSA interop problem with cloudf… Peter Gutmann
- Re: [TLS] weird ECDSA interop problem with cloudf… Ilari Liusvaara
- Re: [TLS] weird ECDSA interop problem with cloudf… Ilari Liusvaara
- Re: [TLS] weird ECDSA interop problem with cloudf… Martin Rex
- Re: [TLS] weird ECDSA interop problem with cloudf… Peter Gutmann