Re: [TLS] Controlling use of SHA-1

[Hubert Kario <hkario@redhat.com>]

On Thursday 22 October 2015 14:49:47 Bill Frantz wrote:
> On 10/23/15 at 2:02 PM, ynir.ietf@gmail.com (Yoav Nir) wrote:
> >That is true only if your application’s client component and
> >server component are using the same library. That is not
> >guaranteed in a protocol. Specifically that is not the case
> >with the web.
> >
> >There are some version intolerant servers out there that will
> >choke on seeing a TLS 1.3 ClientHello. If the client uses some
> >library (like OpenSSL) and you upgrade to OpenSSL 1.2.0 that
> >has TLS 1.3. All of the sudden your application is broken. On
> >the web this means that some websites don’t work.
> 
> This incompatibility cuts both ways. Another way of looking at
> it is that all of a sudden your website has lost viewers and you
> should fix your problem. Perhaps I am unusual, but if I go the a
> website that doesn't work, I usually conclude that I don't need
> to see that web site. My problem is too little time, meaning I
> don't want to bleep with things that don't work, not extra time
> to futz with different browsers to get things working.

Until you have to get a refund on a $500 purchase through such broken 
web server...

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic