Re: [TLS] Consensus on PR 169 - relax certificate list requirements
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 01 September 2015 07:53 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E5D1B8870 for <tls@ietfa.amsl.com>; Tue, 1 Sep 2015 00:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48QOMqnis3jz for <tls@ietfa.amsl.com>; Tue, 1 Sep 2015 00:53:23 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 347181B8874 for <tls@ietf.org>; Tue, 1 Sep 2015 00:53:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1441093984; x=1472629984; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ZdYbuwyxjlITvFlBg5dpQMHk0heqFkatsHJtrMinJsA=; b=0qFz/fK7mYVWTdJvRvh3mlgqYaHwzp0fdLCOGHme0GxG2BsCRKgjmYzw EVPXDLMAGteVaKu5UIiv1KJ+Ygv21NP+dWmNWF+UD1/hESC5FzQTBc20X yjCpqFUmpknIX/7eUpgsmBZAGkEGMl7194zdqiPJikETq21qGq4mD8rRm Jw9eJx61mvmWiNACjU2i4iLdhvKm8IrDBVzPanhI7otRpGF7v2cZK+VU+ 8YHtmMXkGwu4lH28BhRS7UPOHn+51Fy2sUpvBLv/FooBwc70uycaV5bLx Sdy+EFmTW81HiDbs4jPEGIHZ7rpx8F8HgtTLJcJY61yIm7svV4rhUQ9RW g==;
X-IronPort-AV: E=Sophos;i="5.17,447,1437393600"; d="scan'208";a="38905019"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 01 Sep 2015 19:53:02 +1200
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.48]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Tue, 1 Sep 2015 19:53:01 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Yoav Nir <ynir.ietf@gmail.com>, Florian Weimer <fweimer@redhat.com>
Thread-Topic: [TLS] Consensus on PR 169 - relax certificate list requirements
Thread-Index: AQHQ5AVXmtF4FzafckmRtGx7TIp4dJ4lefkAgAAB2YCAAdJGEg==
Date: Tue, 01 Sep 2015 07:53:01 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4AEE48F@uxcn10-5.UoA.auckland.ac.nz>
References: <CAOgPGoAPCXkzc=01_+FPSJcxV8vEQmBUYNGYaWMdKpSGU0M0Lg@mail.gmail.com> <201508261742.01242.davemgarrett@gmail.com> <55E4423B.3010101@redhat.com> <CABkgnnX8dbQix_DZG5fxoFWK9e5FmUC1szneudssCDdZ0M3U+w@mail.gmail.com> <55E4792A.30809@redhat.com>,<528150F2-3323-4384-B812-006749D404AD@gmail.com>
In-Reply-To: <528150F2-3323-4384-B812-006749D404AD@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SVoVEo54JmB2k9yz5EVCstddXKM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus on PR 169 - relax certificate list requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 07:53:26 -0000
Yoav Nir <ynir.ietf@gmail.com> writes: >I feel the pain (I know some administrators who have made this mistake), but >it’s always best to test with something like “openssl s_client”. That's quite possibly the worst thing to test it with, because it's what everyone else also tests against, so it's the thing that everyone makes their code compatible with. The SSH equivalent is Putty, the standard conformance test for SSH RFC compliance is "will Putty connect to it?". Since Putty bends over backwards to accomodate broken implementations, you end up with a "conformance test" that doesn't really test anything. What you need to test with is a fairly picky implementation with good diagnostics. I rather like Mike's server, https://www.mikestoolbox.org/. Peter.
- [TLS] Consensus on PR 169 - relax certificate lis… Joseph Salowey
- Re: [TLS] Consensus on PR 169 - relax certificate… Dave Garrett
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Viktor Dukhovni
- Re: [TLS] Consensus on PR 169 - relax certificate… Joseph Salowey
- Re: [TLS] Consensus on PR 169 - relax certificate… Viktor Dukhovni
- Re: [TLS] Consensus on PR 169 - relax certificate… Santosh Chokhani
- Re: [TLS] Consensus on PR 169 - relax certificate… Florian Weimer
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Florian Weimer
- Re: [TLS] Consensus on PR 169 - relax certificate… Martin Thomson
- Re: [TLS] Consensus on PR 169 - relax certificate… Yoav Nir
- Re: [TLS] Consensus on PR 169 - relax certificate… Peter Gutmann