On Wed, Jul 27, 2016 at 9:50 AM, Wan-Teh Chang <w...@google.com> wrote: > Another source of interop failures is the firewall devices that do > anomaly detection. Some of them will abort TLS handshakes if they see > unknown TLS protocol versions or extensions in ClientHello. (They all > seem to allow unknown cipher suite values.) I suspect they will treat > the GREASE cipher suite, extension, and named group values as "normal" > and continue to abort the handshake if they see truly new values. I > can only hope that these network security devices are updated > regularly.
Sadly there's very little that we can do to address aggressively bad devices. None the less, there are several instances of unintentional bugs in implementations that have caused problems with new-feature deployment that I believe could have been caught with this proposal. As ever, bugs are much less costly when found earlier and I believe that applies equally to the developer and the world as a whole. I have mind the cases of extension intolerance that we've thankfully mostly managed to drive out now (because new extensions have been added for other reasons) and the bug that led to the padding extension (RFC 7685). On the other hand, we've seen what's happened to the version field, which is moving too slowly to resist rusting. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
