Re: [TLS] Non-browser clients.
Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> Sun, 22 November 2009 12:50 UTC
Return-Path: <lists@drh-consultancy.demon.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B16FC3A6A06 for <tls@core3.amsl.com>; Sun, 22 Nov 2009 04:50:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=-0.047, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id behZ0oUBDJut for <tls@core3.amsl.com>; Sun, 22 Nov 2009 04:50:45 -0800 (PST)
Received: from claranet-outbound-smtp00.uk.clara.net (claranet-outbound-smtp00.uk.clara.net [195.8.89.33]) by core3.amsl.com (Postfix) with ESMTP id 056EF3A6836 for <tls@ietf.org>; Sun, 22 Nov 2009 04:50:44 -0800 (PST)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:49233 helo=[192.168.7.8]) by relay00.mail.eu.clara.net (relay.clara.net [213.253.3.40]:10587) with esmtpa (authdaemon_plain:drh) id 1NCBtl-0005u8-1k (Exim 4.69) (return-path <lists@drh-consultancy.demon.co.uk>); Sun, 22 Nov 2009 12:50:38 +0000
Message-ID: <4B09339D.7080108@drh-consultancy.demon.co.uk>
Date: Sun, 22 Nov 2009 12:50:37 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Nelson B Bolyard <nelson@bolyard.me>
References: <C72AB6FD.670D%stefan@aaa-sec.com> <4B04F92A.8050903@extendedsubset.com> <4B053CF5.7000105@drh-consultancy.demon.co.uk> <4B059658.2010200@extendedsubset.com> <4B07EA2B.5040809@drh-consultancy.demon.co.uk> <4B08CCA3.3050104@bolyard.me>
In-Reply-To: <4B08CCA3.3050104@bolyard.me>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Non-browser clients.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 12:50:46 -0000
Nelson B Bolyard wrote: > On 2009-11-21 05:24 PST, Dr Stephen Henson wrote: > >> Just to add a point to this which hasn't really been mentioned. >> >> The discussion of connection logic has largely been browser centric, >> non-browser clients often work in a different way and the current >> proposal (draft-ietf-tls-renegotiation-01.txt) can cause them significant >> problems. > > Where is this draft? It's not on rfc-editor.org nor on ietf.org. > Are you referring to draft-RESCORLA-tls-renegotiation-01.txt? > Yes I meant the 01 version at: https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt Fallbacks aren't explicitly mentioned in the 00 draft. The whole issue of how one can support secure renegotiation (if the server supports it) but still connect to an unpatched SSLv3 or unpatched extension intolerant TLS server isn't covered. The 01 draft resolves this issue but requires fallbacks. It has been mentioned elsewhere that the obvious fallback techniques using the 00 draft are vulnerable to downgrade attacks. If anyone has a reference to a fallback technique that isn't vulnerable and complies to the 00 draft I'd be interested to hear it. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
- [TLS] Proposal for hybrid solution using most of … Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Steve Dispensa
- Re: [TLS] Proposal for hybrid solution using most… Steve Dispensa
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Stephen Farrell
- [TLS] Justification for "Ugly Dirty Hack" Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- [TLS] The Hardware Angle Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Justification for "Ugly Dirty Hack" Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- [TLS] Protocol version bit to use, was Justificat… Bill Frantz
- Re: [TLS] Protocol version bit to use, Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Thamilarasu Kandasamy (thamil)
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Non-browser clients. Nelson B Bolyard
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Eric Rescorla
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Non-browser clients. Peter Gutmann
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Pasi.Eronen
- Re: [TLS] The Hardware Angle Pasi.Eronen
- Re: [TLS] Proposal for hybrid solution using most… Pasi.Eronen
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Ben Laurie
- Re: [TLS] Proposal for hybrid solution using most… Nicolas Williams
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Nicolas Williams
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard