Re: [TLS] Deployment ... Re: This working group has failed
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 17 November 2013 11:53 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7427F11E8BB2 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yn+YF6Pbetu5 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:53:14 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 635F811E8BB0 for <tls@ietf.org>; Sun, 17 Nov 2013 03:53:14 -0800 (PST)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M03qC-1VPEZh1Ghg-00uFnc for <tls@ietf.org>; Sun, 17 Nov 2013 12:53:13 +0100
Message-ID: <5288AE28.4050109@gmx.net>
Date: Sun, 17 Nov 2013 12:53:12 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <5287B4F6.1060102@defuse.ca> <52889ACF.3050302@gmx.net> <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
In-Reply-To: <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:Hkm3n5zsOEhhF1Qz58b9r6/0R5DVtmRwtOt7+rku/rZaq5kH/xI 0R6MMujPj6eTalbMPQItNBLGvpPpEJWO4W8pAmfj5+w/8YDz6p931LDexsB0MwzEvYzlqbR xWdLuLiwQV162duss9gim5xmdQafBrvocUsT3YP4NKwPyzqVMM6X/MqWodfrMFUT3sYhJLY GwhMrdMDittrnZXL7A+Pg==
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 11:53:20 -0000
Hi Yoav, thanks for the response. I interested in those views only to collect some data points for improving the rate of adoption in the future. You might think I am strange but I think we should learn from those mistakes and avoid them in the future. From what you write below I am wondering what TLS libraries these problematic servers have been using? Do we know more about that? Ciao Hannes Am 17.11.13 12:12, schrieb Yoav Nir: > > On Nov 17, 2013, at 12:30 PM, Hannes Tschofenig > <Hannes.Tschofenig@gmx.net> wrote: > >> Hi Taylor, >> >> Would be interesting to hear from someone working for Mozilla (like >> Ekr, our TLS WG chair) why things are progressing so slowly and >> what exactly their problem is. >> > > Hi Hannes > > We have heard before from people at Google and at Microsoft. Google > only added TLS 1.2 very recently, and Microsoft added it very early, > but disabled it by default for a long time. > > There were issues with failures of connections attempts using TLS > 1.2. There have been issues with 1.1, but 1.2 produced much more of > them. > > 1. TLS 1.2 is the first version to require support of extensions. > Some servers broke when extensions existed. 2. Some servers broke on > unrecognized extensions. 3. Some server break on missing extensions - > certain servers will not accept a TLS 1.2 ClientHello without the > SignatureAlgorithm extension > > Combining 1 & 3, you can't win. Some servers just won't work. > > I don't know what changed. Perhaps the percentage of servers that are > broken like that has diminished. But not it looks like the browser > vendors have deemed it as sufficiently low to allow them to make this > on by default. > > Yoav >
- [TLS] This working group has failed Watson Ladd
- [TLS] Deployment ... Re: This working group has f… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Taylor Hornby
- Re: [TLS] This working group has failed SM
- Re: [TLS] This working group has failed Ralph Holz
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Yoav Nir
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] This working group has failed Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Mark Nottingham
- Re: [TLS] Deployment ... Re: This working group h… Kyle Hamilton
- Re: [TLS] Deployment ... Re: This working group h… Juho Vähä-Herttua
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Andrei Popov
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Geoffrey Keating
- Re: [TLS] Deployment ... Re: This working group h… Michael Staubermann
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Joshua Davies
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Kirils Solovjovs
- Re: [TLS] Deployment ... Re: This working group h… Andy Wilson
- Re: [TLS] Deployment ... Re: This working group h… Marsh Ray
- Re: [TLS] Deployment ... Re: This working group h… Ralf Skyper Kaiser
- Re: [TLS] Deployment ... Re: This working group h… Ben Laurie
- [TLS] TLS protocol version intolerance [Was: Re: … Ivan Ristić
- Re: [TLS] Deployment ... Re: This working group h… Zooko Wilcox-OHearn
- Re: [TLS] TLS protocol version intolerance [Was: … Michael Sweet
- Re: [TLS] TLS protocol version intolerance [Was: … Eric Rescorla
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- [TLS] multiple clients in one process (was: Re: D… Patrick Pelletier
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski
- Re: [TLS] multiple clients in one process (was: R… Daniel Kahn Gillmor
- Re: [TLS] multiple clients in one process (was: R… Nico Williams
- Re: [TLS] multiple clients in one process (was: R… Nikos Mavrogiannopoulos
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski