Martin Thomson <martin.thom...@gmail.com> wrote: > On 17 September 2015 at 14:46, Brian Smith <br...@briansmith.org> wrote: > > Browser vendors, if web servers were to stop sending alerts during > handshake > > failures, would you start doing version fallback when a connection is > > closed? > > I'm not sure. We still have a small amount of vestigal fallback code > in our code. We are gradually killing version fallback off and > removing alerts would likely set that effort back. >
Actually, Firefox has already stopped doing version fallback completely for all versions of TLS it supports, unless the website is on a whitelist. That's not really "gradually." We're not sure where we stand with version fallback and 1.3. We don't > know how much version intolerance 1.3 will generate. That at least > might not depend on alerts, though we don't know just yet. > A conformant TLS 1.3 implementation cannot be version intolerant. If it were version intolerant then it would not be a conformant TLS 1.3 implementation. So, conformance requirements for TLS .1.3 servers don't matter as far as version intolerance is concerned. > I don't see much support for the notion that forbidding alerts is a > good idea. We use alerts quite a bit for basic diagnosis. Bad > configurations are pretty commonplace, the most common being one where > there is no common cipher suite. Being able to isolate the error that > is pretty useful. > I still think it is better to recommend to never send alerts. But, at least there are good reasons (which I gave much earlier in the thread) for why a server would choose not to send alerts, e.g. out of an abundance of caution. So, "MUST send" is clearly too far. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls