Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00

Kurt Roeckx <kurt@roeckx.be> Thu, 29 January 2015 18:19 UTC

Date: Thu, 29 Jan 2015 19:18:50 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Hubert Kario <hkario@redhat.com>
Message-ID: <20150129181850.GA9608@roeckx.be>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF694DD@uxcn10-tdc05.UoA.auckland.ac.nz> <20150128231009.GA25284@roeckx.be> <1504300.ArI2OzS8We@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1504300.ArI2OzS8We@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BttEbc_N3pwJX1ydVSueTrMuwzw>
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-sslv3-diediedie-00
Precedence: list

On Thu, Jan 29, 2015 at 11:18:44AM +0100, Hubert Kario wrote:
> > For
> > some reason 1.2 actually seems to better support than 1.1.  There
> > are a strange set of servers out there that support 1.0 and 1.2
> > but not 1.1.
> 
> bug in openssl, SSL_OP_ALL from OpenSSL 1.0.0 did include SSL_OP_NO_TLSv1_1 
> when run against OpenSSL 1.0.1:
> https://rt.openssl.org/Ticket/Display.html?id=2802&user=guest&pass=guest
> 
> which you should know, given that you have submitted the above bug report ;)

I do know about that bug report.  The only people that should have
been affected by it were those that compiled against 1.0.1 and not
against ealier or later releases like any 1.0.0* or 1.0.1[a-l].

The sites that have this behaviour are also larger sites that
probably use some kind of accelator hardware, and I suspect it's
that hardware that doesn't do TLS 1.1.  At least 1 site I know
about that doesn't know TLS 1.1 but does TLS 1.2 is also
vulnerable to poodle in TLS, so they can't be using openssl.

Kurt

[TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey
Re: [TLS] Working Group Last Call for draft-ietf-… Andrei Popov
Re: [TLS] Working Group Last Call for draft-ietf-… Xiaoyin Liu
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Geoffrey Keating
Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Stephen Checkoway
Re: [TLS] Working Group Last Call for draft-ietf-… Aaron Zauner
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
Re: [TLS] Working Group Last Call for draft-ietf-… Yuhong Bao
Re: [TLS] Working Group Last Call for draft-ietf-… Hanno Böck
Re: [TLS] Working Group Last Call for draft-ietf-… Aaron Zauner
Re: [TLS] Working Group Last Call for draft-ietf-… Dave Garrett
Re: [TLS] Working Group Last Call for draft-ietf-… Michael Clark
Re: [TLS] Working Group Last Call for draft-ietf-… Peter Gutmann
Re: [TLS] Working Group Last Call for draft-ietf-… Kurt Roeckx
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Rex
Re: [TLS] Working Group Last Call for draft-ietf-… Joe Hall
Re: [TLS] Working Group Last Call for draft-ietf-… Hubert Kario
Re: [TLS] Working Group Last Call for draft-ietf-… Kurt Roeckx
Re: [TLS] Working Group Last Call for draft-ietf-… Hubert Kario
Re: [TLS] Working Group Last Call for draft-ietf-… Peter Gutmann
Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Stephen Checkoway
Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Salowey
Re: [TLS] Working Group Last Call for draft-ietf-… Erik Nygren
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Salowey
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Thomson
Re: [TLS] Working Group Last Call for draft-ietf-… Martin Rex
Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd