Re: [TLS] Cipher suite values to indicate TLS capability
Adam Langley <agl@google.com> Tue, 05 June 2012 23:51 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6689111E80A1 for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGVk6ZqLa5lx for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:51:48 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id B9A8711E80A0 for <tls@ietf.org>; Tue, 5 Jun 2012 16:51:48 -0700 (PDT)
Received: by yhq56 with SMTP id 56so4942405yhq.31 for <tls@ietf.org>; Tue, 05 Jun 2012 16:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=CBqFGYnfmDMf6HhBk7vNqkUEl3mn+/e8rYLvyGbqCXo=; b=nhI7VwB5anr+NOMFI6Z2zWDJ4Zfx/5o7UGpOanL8RGdJy8tc//piY5YppJokTcXldT s9zv0lyzNe1G4XfAcC6+rkYQUU6OiZ/Fwk3OZ/NRXAJFvkP5YHX6zJm1OdgINNNnYXE+ EwQgUEoq3IRu5HJCodlK+x+eqtpNx/Qn0LTl3jSxRw2Mnvk6oDel7W0BJVDRN8MKpohq vR30LEl2VWsJc6qD3Q6ZdY+yHHRK0WuWjssVA2HvXLedaGTaUb6/iqaSJRMKoAmWyIvw S48KbhCYSlFRnacwtNkFGtwO+47rZ1t4yGAPl4KOFtgvOQTwoweuhE5aI5N2eiKjx/X5 7h4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=CBqFGYnfmDMf6HhBk7vNqkUEl3mn+/e8rYLvyGbqCXo=; b=OdHqU/cTdLzuVh0xmgqQJPH/SRNjF7lX+CQO2T4PsfYUz01XCN0kkfFlwlNDGa+8hq XHP8HSrkcWov+7s5/ImR/zqmF1V2BKvLJ8WPAV4n/gFo+6H9uqpiQuf1H7ZU5rVqNHNk AhemALCAqB1sbf3308fJJetD9F3FrhnXeS3I8kntKdLT21KFxTLQUM1lh+mXKpRPiHEF GCFaXR8fdgqx05KHTuD6VZeU9jjvsfuRs228fRatWbJQI5LadSGkqfKIaD+rRiPuZ/z+ GbcVkzT/T6yVkYxVb+c36ZzWLf4C/Yh+10y5KRJlzvcMTmLyJIQdUkrNtYySxTxv+sxn PMOg==
Received: by 10.42.62.211 with SMTP id z19mr5913354ich.2.1338940307874; Tue, 05 Jun 2012 16:51:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.62.211 with SMTP id z19mr5913349ich.2.1338940307777; Tue, 05 Jun 2012 16:51:47 -0700 (PDT)
Received: by 10.231.5.201 with HTTP; Tue, 5 Jun 2012 16:51:47 -0700 (PDT)
In-Reply-To: <m2oboxxr5z.fsf@localhost.localdomain>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <m2sje9xsc0.fsf@localhost.localdomain> <CAL9PXLy_Lr+-ehOKSddtooVBpgUzxCyLKhWghC7UtOAt3HH2Rw@mail.gmail.com> <m2oboxxr5z.fsf@localhost.localdomain>
Date: Tue, 05 Jun 2012 19:51:47 -0400
Message-ID: <CAL9PXLx4qdv1AYv7f47=1f8j7UkkOuaYEn9PHeLnQRWkJ5NKDQ@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmcpLKKIhxXkWJ1JuhSQs0pYNSoXl4CbIxeijeSMBZaofCvt8qvnQSwjDMUPW1VTm+A8ECQ1ILCIr5pN3Lm9q5FE569oLMnUiGsSRJJ8OArQDZbythj9eujVwOWX++MSq2ibSnn
Cc: tls@ietf.org
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 23:51:49 -0000
On Tue, Jun 5, 2012 at 7:41 PM, Geoffrey Keating <geoffk@geoffk.org> wrote: > Why would you need to send the extensions? (The RFC says they're > optional.) Well, we could cross our fingers and hope that the server picks something acceptable I guess (or simply define the set of acceptable values for SSLv3). But extending SSLv3 to support ECDHE seems rather specific: There's also the issue of captive portals which tend to trigger fallbacks by doing things like sending HTTP replies on port 443. If the user authorises during the fallback process then we downgrade to SSLv3, omit SNI and throw a nasty certificate error for any SNI requiring domain names. I'd rather throw a network error than a certificate error that trains users to ignore them. (This has actually been happening to some of our users, although we significantly ameliorated it by being more aggressive in stepping back up to TLS after a fallback.) Cheers AGL
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- [TLS] Cipher suite values to indicate TLS capabil… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Chris Richardson
- Re: [TLS] Cipher suite values to indicate TLS cap… Wan-Teh Chang
- Re: [TLS] Cipher suite values to indicate TLS cap… Yoav Nir
- Re: [TLS] Cipher suite values to indicate TLS cap… Yoav Nir
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Chris Richardson
- Re: [TLS] Cipher suite values to indicate TLS cap… Tom Ritter
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Martin Rex