Re: [TLS] Controlling use of SHA-1
Hubert Kario <hkario@redhat.com> Fri, 30 October 2015 19:35 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303C71B3AFA for <tls@ietfa.amsl.com>; Fri, 30 Oct 2015 12:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vfWanNW93vme for <tls@ietfa.amsl.com>; Fri, 30 Oct 2015 12:35:01 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEEAA1B3AF9 for <tls@ietf.org>; Fri, 30 Oct 2015 12:35:01 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 09856C0BAA16; Fri, 30 Oct 2015 19:35:01 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-76.ams2.redhat.com [10.36.112.76]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t9UJYusD006527 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2015 15:35:00 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 30 Oct 2015 20:34:48 +0100
Message-ID: <10717197.NzmEmjUmiF@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.2.3-200.fc22.x86_64; KDE/4.14.11; x86_64; ; )
In-Reply-To: <r422Ps-1075i-191F4873850B407DB39DEEEA5E50FF63@Williams-MacBook-Pro.local>
References: <r422Ps-1075i-191F4873850B407DB39DEEEA5E50FF63@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1634832.tej1drhJUj"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CoKAapU-SQtnbV9YJdxAsc-mSiU>
Subject: Re: [TLS] Controlling use of SHA-1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2015 19:35:03 -0000
On Thursday 22 October 2015 14:49:47 Bill Frantz wrote: > On 10/23/15 at 2:02 PM, ynir.ietf@gmail.com (Yoav Nir) wrote: > >That is true only if your application’s client component and > >server component are using the same library. That is not > >guaranteed in a protocol. Specifically that is not the case > >with the web. > > > >There are some version intolerant servers out there that will > >choke on seeing a TLS 1.3 ClientHello. If the client uses some > >library (like OpenSSL) and you upgrade to OpenSSL 1.2.0 that > >has TLS 1.3. All of the sudden your application is broken. On > >the web this means that some websites don’t work. > > This incompatibility cuts both ways. Another way of looking at > it is that all of a sudden your website has lost viewers and you > should fix your problem. Perhaps I am unusual, but if I go the a > website that doesn't work, I usually conclude that I don't need > to see that web site. My problem is too little time, meaning I > don't want to bleep with things that don't work, not extra time > to futz with different browsers to get things working. Until you have to get a refund on a $500 purchase through such broken web server... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Controlling use of SHA-1 Martin Thomson
- Re: [TLS] Controlling use of SHA-1 Eric Rescorla
- Re: [TLS] Controlling use of SHA-1 Martin Thomson
- Re: [TLS] Controlling use of SHA-1 Andrei Popov
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Dave Garrett
- Re: [TLS] Controlling use of SHA-1 Dave Garrett
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Russ Housley
- Re: [TLS] Controlling use of SHA-1 Rob Stradling
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Geoffrey Keating
- Re: [TLS] Controlling use of SHA-1 Benjamin Kaduk
- Re: [TLS] Controlling use of SHA-1 Martin Thomson
- Re: [TLS] Controlling use of SHA-1 Salz, Rich
- Re: [TLS] Controlling use of SHA-1 Benjamin Kaduk
- Re: [TLS] Controlling use of SHA-1 Salz, Rich
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Watson Ladd
- Re: [TLS] Controlling use of SHA-1 Andrei Popov
- Re: [TLS] Controlling use of SHA-1 Benjamin Kaduk
- Re: [TLS] Controlling use of SHA-1 Salz, Rich
- Re: [TLS] Controlling use of SHA-1 Watson Ladd
- Re: [TLS] Controlling use of SHA-1 Ilari Liusvaara
- Re: [TLS] Controlling use of SHA-1 Salz, Rich
- Re: [TLS] Controlling use of SHA-1 Eric Rescorla
- Re: [TLS] Controlling use of SHA-1 Eric Rescorla
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Yoav Nir
- Re: [TLS] Controlling use of SHA-1 Martin Thomson
- Re: [TLS] Controlling use of SHA-1 Bill Frantz
- Re: [TLS] Controlling use of SHA-1 Dave Garrett
- Re: [TLS] Controlling use of SHA-1 Viktor Dukhovni
- Re: [TLS] Controlling use of SHA-1 Short, Todd
- Re: [TLS] Controlling use of SHA-1 Michał Staruch
- Re: [TLS] Controlling use of SHA-1 Martin Rex
- Re: [TLS] Controlling use of SHA-1 Martin Rex
- Re: [TLS] Controlling use of SHA-1 Hubert Kario