On Tue, 2014-08-05 at 19:13 -0400, Daniel Kahn Gillmor wrote: > On 08/05/2014 06:24 PM, Simo Sorce wrote: > > > I have been working for a little while on making it possible to use > > channel bindings within an Apache server. > > In order to do that some support to extract information form the TLS > > layer is necessary in the server. > > This is great idea, but be aware that tls_unique is fundamentally broken > in its current form: > > http://secure-resumption.com/ > > This will be fixed with an update to TLS, which was recently approved > for adoption by the TLS WG: > > https://tools.ietf.org/html/draft-bhargavan-tls-session-hash-01 > > but i don't think it's implemented in any of the major toolkits yet.
Yeah I know it is broken, does it mean you want to have it disabled and return an error if requested until a fixed openssl library/call is available ? I care more for tls-server-end-point for now anyway as that's what Microsoft browsers use. Simo. -- Simo Sorce * Red Hat, Inc * New York