Re: [TLS] SCSV vs RI when both specified. Was: Updated draft

"Kemp, David P." <DPKemp@missi.ncsc.mil> Wed, 30 December 2009 17:53 UTC

Return-Path: <DPKemp@missi.ncsc.mil>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9D2C3A6958 for <tls@core3.amsl.com>; Wed, 30 Dec 2009 09:53:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.454
X-Spam-Level:
X-Spam-Status: No, score=-5.454 tagged_above=-999 required=5 tests=[AWL=-0.345, BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znECxzUHQCDn for <tls@core3.amsl.com>; Wed, 30 Dec 2009 09:53:51 -0800 (PST)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by core3.amsl.com (Postfix) with ESMTP id C52B83A682A for <tls@ietf.org>; Wed, 30 Dec 2009 09:53:51 -0800 (PST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA8978.DEBE9B4C"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 30 Dec 2009 12:52:35 -0500
Message-ID: <200912301753.nBUHrRw2021772@stingray.missi.ncsc.mil>
In-Reply-To: <1b587cab0912280536u2fbfaa6eo1f1c28b3c3c6da05@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] SCSV vs RI when both specified. Was: Updated draft
thread-index: AcqHwvNWFWFsD5d6SOGoUYAcAHaNRwBs2tFw
References: <90E934FC4BBC1946B3C27E673B4DB0E4A7EE854013@LLE2K7-BE01.mitll.ad.local><4B2FA22D.2090800@extendedsubset.com><BA53741D-8774-41AD-91FF-0882DEAD3BD3@checkpoint.com> <1b587cab0912280536u2fbfaa6eo1f1c28b3c3c6da05@mail.gmail.com>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: <tls@ietf.org>
X-OriginalArrivalTime: 30 Dec 2009 17:53:53.0750 (UTC) FILETIME=[0D1C7F60:01CA8979]
Subject: Re: [TLS] SCSV vs RI when both specified. Was: Updated draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2009 17:53:53 -0000

Amazon and Google are free to accept SSLv2 as well as TLSv1.x-unpatched
(minor MSbit unset) if they perceive the benefit of communicating to be
greater than the risk of being attacked.   That has no bearing on
whether the protocol spec for TLSv1.x-patched requires aborting
connections with bozo endpoints, which of course it should.   Service
providers/consumers can make their own choice of which protocol versions
and ciphersuites to accept, with the knowledge that more restrictive
choices will lock out some endpoints.   It has always been thus.

 

Dave

 

 

From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
Ben Laurie
Sent: Monday, December 28, 2009 8:37 AM
To: Yoav Nir
Cc: tls@ietf.org
Subject: Re: [TLS] SCSV vs RI when both specified. Was: Updated draft

 

 

On Tue, Dec 22, 2009 at 8:21 AM, Yoav Nir <ynir@checkpoint.com> wrote:


On Dec 21, 2009, at 6:28 PM, Marsh Ray wrote:

> Blumenthal, Uri - 0662 - MITLL wrote:
>

>> If the
>> protocol spec demands aborting connection, it better have a damn good
>> reason to do so - and more substantive than "some Steve decided it
>> doesn't really matter to him if the peers connect or not".
>
> How about "remote endpoint doesn't pass the bozo test"?

We do not discriminate against bozos.

Seriously, servers are there to communicate. Amazon or Google are not
going to turn away customers because their browsers are a little off.
That's why they agree to work in SSLv2.

 

Oh yes we are :-) 

 

$ openssl s_client -ssl2 -connect www.google.com:443

CONNECTED(00000003)

write:errno=54

 

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls