Frank Hecker wrote:
>
> John Gardiner Myers wrote:
> > Why are FIPS ciphers listed under TLS? I thought they were only
> > relevant to SSLv3.
>
> That's correct to the best of my knowledge. If the protocol being used
> is TLS 1.0 (as opposed to SSL 3.0) then there should be no FIPS
> ciphersuites selectable in the UI. (And of course, there should be no
> FIPS ciphersuites implemented in the TLS protocol itself.)
The SSL3 and TLS protocols have the client send a list of the ciphersuites
it (the client) supports to the server. This list provides no means to
indicate that some ciphersuites are supported only in one version but not
another (e.g. in SSL3, not TLS). So, in effect, a client that supports TLS
and SSL3 must support any SSL3/TLS ciphersuite in both SSL3 and TLS.
Hence the UI should NOT be designed to give the user the idea that it is
possible to enable a given ciphersuite separately for SSL3 and for TLS.
Now that we support TLS, it is my opinion that we should drop the old
proprietary "FIPS" ciphersuites ASAP. TLS with DES is FIPS compliant
without any additional special ciphersuites. The "FIPS" ciphersuites
were meant to be only a temporary measure until such time as we implemented
TLS, which we have now done.
--
Nelson Bolyard Sun / Netscape Alliance
