Nelson B wrote:
Ian G wrote:
(OTOH, something like SSLv2 v. SSLv3/TLSv1 is stopping
people elsewhere using crypto.
What are you talking about?
This one:
Nelson B wrote:
> Julien Pierre wrote:
>
>> There is a TLS extension called "server name indication". It is
>> currently not implemented by NSS . There are RFEs, you can search
>> bugzilla.
>>
>> I'm not aware of any client or server that implements this extension
>> at this time,
>
>
> The big impediment to this is the continued existance of SSL2-only servers.
> There are still some big-value heavily-used SSL servers out there that
> speak only SSL2. Here's one: https://webmail.aol.com/
>
> In order to use the "server name indication" TLS extension, the client must
> send out an SSL3/TLS style "client hello" message as the first message it
> sends to the server. And today, most browsers do not do that. They send
> out SSL2 style hellos, which cannot use that extension. Here's why.
>
> If the client sends an SSL3/TLS style hello to the server, and the server
> is an SSL2 (only) server, the server will misinterpret this SSL3/TLS
> style hello as a very large SSL2 style record, and will wait a long time
> (maybe as little as 30 seconds, or maybe much longer) for the rest of
> the message to come in. This appears to a browser user as a "hung"
> connection, and tends to anger browser users ("damn browser!"), even
> though it is no fault of the browser's.
>
> To avoid that, browser products continue to this day to send out
> ssl2-style client hello messages, which make SSL2 servers happy, and which
> SSL3/TLS servers interpret as SSL3/TLS hellos. But there is no way to
> put the new "server name indication" into an SSL2-style client hello.
>
> When all the big-value SSL servers finally all upgrade to newer server
> software than understands more than just SSL2, I think you'll see this
> new "server name indication" come into play.
>
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
