IETF Logo Mail Archive

Re: [TLS] interop for TLS clients proposing TLSv1.1

Juho Vähä-Herttua <juhovh@iki.fi> Tue, 27 September 2011 07:07 UTC

Return-Path: <juhovh@iki.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7343E21F8D1B for <tls@ietfa.amsl.com>; Tue, 27 Sep 2011 00:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.95
X-Spam-Level:
X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wVl96VhNtLLH for <tls@ietfa.amsl.com>; Tue, 27 Sep 2011 00:07:53 -0700 (PDT)
Received: from jenni1.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id BA75221F8B67 for <tls@ietf.org>; Tue, 27 Sep 2011 00:07:52 -0700 (PDT)
Received: from mail.visino.fi (88.192.37.90) by jenni1.inet.fi (8.5.133) id 4E7C5E0F002B708D; Tue, 27 Sep 2011 10:10:28 +0300
Received: from [192.168.1.100] (dsl-hkibrasgw3-ff2cc000-252.dhcp.inet.fi [88.192.44.252]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: juhovh) by mail.visino.fi (Postfix) with ESMTPSA id 31ABF1FEE1; Tue, 27 Sep 2011 10:10:26 +0300 (EEST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Juho Vähä-Herttua <juhovh@iki.fi>
In-Reply-To: <4E8174BA.8060203@gnutls.org>
Date: Tue, 27 Sep 2011 10:10:26 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <F493622E-66C3-4729-86AD-B65AD0D64BCB@iki.fi>
References: <r422Ps-1068i-BDA7EE4404A24A818F407021587398EE@Bill-Frantzs-MacBook-Pro.local> <4E8174BA.8060203@gnutls.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
X-Mailer: Apple Mail (2.1084)
Cc: tls@ietf.org
Subject: Re: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 07:07:53 -0000

On Sep 27, 2011, at 10:01 AM, Nikos Mavrogiannopoulos wrote:
> On 09/27/2011 01:32 AM, Bill Frantz wrote:
> 
>> I would add on this topic:
>> Browsers should refuse to display their highest security UI indicators
>> if they negotiate a version of TLS with known flaws.
> 
> This seems like the best strategy to force servers to upgrade.

I agree completely. If the browser vendors just agree to this, SSLv3 and TLSv1.0 could be phased out gracefully leaving us with TLS 1.1 and TLS 1.2 only. Since with two versions there cannot be any unsupported versions in between, it would effectively resolve the mentioned version negotiation problem in current TLS for the time being. (until new TLS versions come up)


Juho

v2.23.0 | Report a Bug | By Email