Re: [TLS] checking on an scsv point
mrex@sap.com (Martin Rex) Wed, 18 February 2015 00:28 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2AE11A1EEE for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:28:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cm-kOzEm1CFi for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:28:06 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED841A8791 for <tls@ietf.org>; Tue, 17 Feb 2015 16:28:06 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id DA63E2AB45; Wed, 18 Feb 2015 01:28:04 +0100 (CET)
X-purgate-ID: 152705::1424219284-00003099-5AD58B07/0/0
X-purgate-size: 1074
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id CF3FC42D5E; Wed, 18 Feb 2015 01:28:04 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id C59951B1B1; Wed, 18 Feb 2015 01:28:04 +0100 (CET)
In-Reply-To: <CABkgnnWywGzhpvN3-Brjt_DRYQSm7db7=v0wE0exNPaSNjqKpA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 18 Feb 2015 01:28:04 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150218002804.C59951B1B1@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mqyx-u-Zoe0DUYJiat3lOATz64o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:28:10 -0000
Martin Thomson wrote: > Martin Rex <mrex@sap.com> wrote: >> >> But that is a question for the apps on top rather than for NSS. > > I have access to one of those as well. That implementation would > consider the failure to be *another* sign of version intolerance, > triggering further fallback. If the pattern of version+1 responses > continues, and I expect it to, it will reset any version intolerance > state after exhausting all the options. You mean that this client will fallback further _down_, rather than upwards as the server suggests? I assume this is mostly because the App does the heuristics here and has little information to do its heuristics (it probably doesn't have the ServerHello to look at). But that should be an easy fix to the app heuristics. > > Of course, that implementation is about to disable fallback, so the > window of applicability is extremely narrow in that case. Then the exact semantics of the FALLBACK_SCSV and the server response to it will become a non-issue for that App, I believe. -Martin
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson