Hanno Böck wrote:
Checking application/pgp-signature: FAILURE
> Hubert Kario <[email protected]> wrote:
>
>> so it looks to me like while we may gain a bit of compatibility by
>> using extension based mechanism to indicate TLSv1.3,
Forget TLS extensions, forget ClientHello.client_version.
Both in fundamentally broken, and led to Web Browsers coming up
with the "downgrade dance" that is target&victim of the POODLE attack.
We know fairly reliably what kind of negotiation works just fine:
TLS cipher suite codepoints.
Please define *ALL* TLSv1.3-specific cipher suites to
a) indicate that the client offering it supports (at least) TLSv1.3
b) that indication (a) will override any lower ClientHello.client_version
that may have been used for backwards compatibility.
>
> I'm now also collecting some data and have some preliminary
> suspicion on affected devices. My numbers roughly match yours that we
> are in the more or less 3% area of 1.3 intolerance.
The TLSv1.2 version intolerance is already a huge problem,
and I'm not seeing it go away. Acutally Microsoft created an
awfully large installed base of TLSv1.2-intolerant servers
(the entire installed base of Win7 through Win8.1 aka 2008R2, 2012, 2012R2).
I would really like to see the TLS WG improving the situation
rather than keep sitting on its hands. The problem has been well-known
since 2005. And the "downgrade dance" was a predictably lame approach
to deal with the situation, because it completely subverts/evades the
cryptographic protection of the TLS handshake.
-Martin
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
