IETF Logo Mail Archive

Re: [TLS] Cipher suite values to indicate TLS capability

Adam Langley <agl@google.com> Tue, 05 June 2012 23:51 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6689111E80A1 for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGVk6ZqLa5lx for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:51:48 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id B9A8711E80A0 for <tls@ietf.org>; Tue, 5 Jun 2012 16:51:48 -0700 (PDT)
Received: by yhq56 with SMTP id 56so4942405yhq.31 for <tls@ietf.org>; Tue, 05 Jun 2012 16:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=CBqFGYnfmDMf6HhBk7vNqkUEl3mn+/e8rYLvyGbqCXo=; b=nhI7VwB5anr+NOMFI6Z2zWDJ4Zfx/5o7UGpOanL8RGdJy8tc//piY5YppJokTcXldT s9zv0lyzNe1G4XfAcC6+rkYQUU6OiZ/Fwk3OZ/NRXAJFvkP5YHX6zJm1OdgINNNnYXE+ EwQgUEoq3IRu5HJCodlK+x+eqtpNx/Qn0LTl3jSxRw2Mnvk6oDel7W0BJVDRN8MKpohq vR30LEl2VWsJc6qD3Q6ZdY+yHHRK0WuWjssVA2HvXLedaGTaUb6/iqaSJRMKoAmWyIvw S48KbhCYSlFRnacwtNkFGtwO+47rZ1t4yGAPl4KOFtgvOQTwoweuhE5aI5N2eiKjx/X5 7h4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=CBqFGYnfmDMf6HhBk7vNqkUEl3mn+/e8rYLvyGbqCXo=; b=OdHqU/cTdLzuVh0xmgqQJPH/SRNjF7lX+CQO2T4PsfYUz01XCN0kkfFlwlNDGa+8hq XHP8HSrkcWov+7s5/ImR/zqmF1V2BKvLJ8WPAV4n/gFo+6H9uqpiQuf1H7ZU5rVqNHNk AhemALCAqB1sbf3308fJJetD9F3FrhnXeS3I8kntKdLT21KFxTLQUM1lh+mXKpRPiHEF GCFaXR8fdgqx05KHTuD6VZeU9jjvsfuRs228fRatWbJQI5LadSGkqfKIaD+rRiPuZ/z+ GbcVkzT/T6yVkYxVb+c36ZzWLf4C/Yh+10y5KRJlzvcMTmLyJIQdUkrNtYySxTxv+sxn PMOg==
Received: by 10.42.62.211 with SMTP id z19mr5913354ich.2.1338940307874; Tue, 05 Jun 2012 16:51:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.62.211 with SMTP id z19mr5913349ich.2.1338940307777; Tue, 05 Jun 2012 16:51:47 -0700 (PDT)
Received: by 10.231.5.201 with HTTP; Tue, 5 Jun 2012 16:51:47 -0700 (PDT)
In-Reply-To: <m2oboxxr5z.fsf@localhost.localdomain>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <m2sje9xsc0.fsf@localhost.localdomain> <CAL9PXLy_Lr+-ehOKSddtooVBpgUzxCyLKhWghC7UtOAt3HH2Rw@mail.gmail.com> <m2oboxxr5z.fsf@localhost.localdomain>
Date: Tue, 05 Jun 2012 19:51:47 -0400
Message-ID: <CAL9PXLx4qdv1AYv7f47=1f8j7UkkOuaYEn9PHeLnQRWkJ5NKDQ@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmcpLKKIhxXkWJ1JuhSQs0pYNSoXl4CbIxeijeSMBZaofCvt8qvnQSwjDMUPW1VTm+A8ECQ1ILCIr5pN3Lm9q5FE569oLMnUiGsSRJJ8OArQDZbythj9eujVwOWX++MSq2ibSnn
Cc: tls@ietf.org
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 23:51:49 -0000

On Tue, Jun 5, 2012 at 7:41 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
> Why would you need to send the extensions?  (The RFC says they're
> optional.)

Well, we could cross our fingers and hope that the server picks
something acceptable I guess (or simply define the set of acceptable
values for SSLv3). But extending SSLv3 to support ECDHE seems rather
specific:

There's also the issue of captive portals which tend to trigger
fallbacks by doing things like sending HTTP replies on port 443. If
the user authorises during the fallback process then we downgrade to
SSLv3, omit SNI and throw a nasty certificate error for any SNI
requiring domain names. I'd rather throw a network error than a
certificate error that trains users to ignore them. (This has actually
been happening to some of our users, although we significantly
ameliorated it by being more aggressive in stepping back up to TLS
after a fallback.)


Cheers

AGL

v2.23.0 | Report a Bug | By Email