Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

["Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>]

On Mon, 09 Nov 2009 20:37:46 +0100, David-Sarah Hopwood  
<david-sarah@jacaranda.org> wrote:

> Martin Rex wrote:
>> There may be SSLv3 servers out there that choke on extension data
>> in the ClientHello.  But that doesn't mean that one could not
>> upgrade SSLv3 servers to support TLS extensions.  The more interesting
>> question is IMHO -- which TLS clients will choke when an SSLv3 server
>> returns a ServerHello extension?  spec-wise, a ServerHello extension
>> is as unusual to SSLv3 as it is to TLSv1.0.
>
> Why would that situation arise? For that to happen, an SSL server
> library would have to be upgraded to support extensions but not to
> support TLS. Are there any SSL-only libraries being actively
> maintained?

This is unlikely to work, because at least some clients (Opera being one)  
will never send Extensions to SSL v3 server. In fact, Opera will not  
attempt Extensions to a server until it knows it is dealing with a TLS  
1.0+ server, because we know there are TLS 1.0 servers that does not  
accept Extensions (see  
http://tools.ietf.org/html/draft-ietf-tls-interoperability-00 ).



-- 
Sincerely,
Yngve N. Pettersen
 
********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************