Lennie Dymoke-Bradshaw wrote:
>Maybe I am trying to teach my granny to suck eggs, but I think TLS includes
the capability to fall back as far as SSLv3 if the other party does not
support TLS. Could this be what you are seeing?
Ah, you're being much too logical. The short answer to your query is "No"
and/or "Not necessarily".
The way SSL/TLS connection setup typically works is that the client says
"Here are the ciphers AND PROTOCOLS" I'm willing to let you, Mr. SSL/TLS
stack, use". Of course the stack can let that default, but the ones I've
seen (like IBM System SSL) don't. This surprised me when I learned it,
because I would have though you could say "Use TLSv1 *or later*" and be done
with it, but no-we have to update our product each time a new TLS version
comes out, simply to tell System SSL "Yes, it's OK to use that protocol".
The result is that you can have a reasonably "modern" client and a
reasonably "modern" server that won't connect, because they don't have any
ciphers in common. It also means that no, things won't necessarily fall
back. Public web servers tend to support fallback-google.com will still do
SSLv3 if you force it to-but more tightly controlled client-server pairs
often do not.
And then there are a whole 'nother set of things that can be incompatible,
like servers that require SNI, and load balancers (I'm looking at you, F5)
that have options ("Unclean shutdown") that irritate System SSL. I suspect
that System SSL is more sensitive to these things than, say, OpenSSL for a
pair of reasons: first, because IBM probably implemented it following the
RFCs; and second, because System SSL has had less real-world exposure to
find out where the real world doesn't follow those.
I'm reminded of the mid-90s when I was apparently the only one on the planet
running a primary DNS using SQL/DS on VM/ESA. IBM implemented TTL per the
RFC, so TTL=0 meant no caching; apparently the rest of the world takes TTL=0
to mean "cache indefinitely". It's fuzzy at this distance but I think IBM
had to change their implementation. (And it's possible I'm describing the
problem wrong, again, 'cause it was a thousand years ago-I just remember
that we had a big problem until IBM fixed it to NOT follow the letter of the
RFC.)
The ubiquity of OpenSSL means it Just Works, so non-Z folks are sorta
spoiled here (in a good way-"Machines should work, people should think" and
all that).
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
