Re: [TLS] interop for TLS clients proposing TLSv1.1

Florian Weimer <fweimer@bfk.de> Mon, 26 September 2011 13:27 UTC

Return-Path: <fweimer@bfk.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68CEB21F8BA8 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 06:27:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.681
X-Spam-Level:
X-Spam-Status: No, score=-0.681 tagged_above=-999 required=5 tests=[AWL=-1.032, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OTzENYzBb80x for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 06:27:57 -0700 (PDT)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by ietfa.amsl.com (Postfix) with ESMTP id AAEC421F8B98 for <tls@ietf.org>; Mon, 26 Sep 2011 06:27:57 -0700 (PDT)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1R8BGX-0002FO-AQ; Mon, 26 Sep 2011 13:30:37 +0000
Received: by bfk.de with local id 1R8BGX-00005w-6A; Mon, 26 Sep 2011 13:30:37 +0000
From: Florian Weimer <fweimer@bfk.de>
To: mrex@sap.com
References: <201109212350.p8LNoZUk024729@fs4113.wdf.sap.corp>
Date: Mon, 26 Sep 2011 13:30:37 +0000
In-Reply-To: <201109212350.p8LNoZUk024729@fs4113.wdf.sap.corp> (Martin Rex's message of "Thu, 22 Sep 2011 01:50:35 +0200 (MEST)")
Message-ID: <82oby7ctxe.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 13:27:58 -0000

* Martin Rex:

> I really think we (the TLS WG) should provide a remedy to this awful
> situation for the TLS protocol version negotiation in the installed
> base.

Most vendors offer automated updates these days.  Deployments which are
not updated are likely to have other issues besides interoperability
problems.  Protocol fixes still do not end up in deployment.

I think we should try to figure out the reason before we try to work
around it.  If we're unlucky, the workarounds are broken in a similar
way, and we gain very little because vendors and deployments which use
arguably more secure protocol versions are still punished by an
incompatible installation base.

-- 
Florian Weimer                <fweimer@bfk.de>;
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99