Lennie Dymoke-Bradshaw wrote: >Maybe I am trying to teach my granny to suck eggs, but I think TLS includes the capability to fall back as far as SSLv3 if the other party does not support TLS. Could this be what you are seeing?
Ah, you're being much too logical. The short answer to your query is "No" and/or "Not necessarily". The way SSL/TLS connection setup typically works is that the client says "Here are the ciphers AND PROTOCOLS" I'm willing to let you, Mr. SSL/TLS stack, use". Of course the stack can let that default, but the ones I've seen (like IBM System SSL) don't. This surprised me when I learned it, because I would have though you could say "Use TLSv1 *or later*" and be done with it, but no-we have to update our product each time a new TLS version comes out, simply to tell System SSL "Yes, it's OK to use that protocol". The result is that you can have a reasonably "modern" client and a reasonably "modern" server that won't connect, because they don't have any ciphers in common. It also means that no, things won't necessarily fall back. Public web servers tend to support fallback-google.com will still do SSLv3 if you force it to-but more tightly controlled client-server pairs often do not. And then there are a whole 'nother set of things that can be incompatible, like servers that require SNI, and load balancers (I'm looking at you, F5) that have options ("Unclean shutdown") that irritate System SSL. I suspect that System SSL is more sensitive to these things than, say, OpenSSL for a pair of reasons: first, because IBM probably implemented it following the RFCs; and second, because System SSL has had less real-world exposure to find out where the real world doesn't follow those. I'm reminded of the mid-90s when I was apparently the only one on the planet running a primary DNS using SQL/DS on VM/ESA. IBM implemented TTL per the RFC, so TTL=0 meant no caching; apparently the rest of the world takes TTL=0 to mean "cache indefinitely". It's fuzzy at this distance but I think IBM had to change their implementation. (And it's possible I'm describing the problem wrong, again, 'cause it was a thousand years ago-I just remember that we had a big problem until IBM fixed it to NOT follow the letter of the RFC.) The ubiquity of OpenSSL means it Just Works, so non-Z folks are sorta spoiled here (in a good way-"Machines should work, people should think" and all that). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN