IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 07 May 2014 00:25 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B6B1A06C4 for <tls@ietfa.amsl.com>; Tue, 6 May 2014 17:25:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHuR3OuWIL7U for <tls@ietfa.amsl.com>; Tue, 6 May 2014 17:25:02 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4F36E1A0069 for <tls@ietf.org>; Tue, 6 May 2014 17:24:57 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 604172AAA03; Wed, 7 May 2014 00:24:52 +0000 (UTC)
Date: Wed, 07 May 2014 00:24:52 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140507002452.GH27883@mournblade.imrryr.org>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <53692FC2.1060009@akr.io> <20140506221344.GB27883@mournblade.imrryr.org> <536977E3.3000608@akr.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <536977E3.3000608@akr.io>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n-4hsMu7NvDfYEQHljfiF3MV3gY
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 00:25:04 -0000

On Wed, May 07, 2014 at 01:01:39AM +0100, Alyssa Rowan wrote:

> > The OpenSSL cipherlist is
> 
> ...um. The word I'd use would be: hairy.
> 
> In practice, unfortunately way too hairy for the average developer;
> whence passing the buck to the average end-user; whence the average
> end-user taking the cipherlist as copypasta from the first Google
> result they found that actually worked.
> 
> We've all seen the end results.

We must not confuse implementation user-interface issues with
protocol issues.  The protocol supports many different use-cases.
Interfaces for cipher selection in implementations are not protocol
issues.  The OpenSSL cipherlist interface is beginning to get some
attention.  That issue belongs on openssl-dev@openssl.org, not
tls@ietf.org.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email