Thanks, Martin. This is correct. So there are two ways to fix this: As Martin suggests, make TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA one of the MTI instead of the current, or Add 0xC0,0x23 (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) to the list of ciphersuites.
The first seems more consistent to me. Chairs: guidance? Note that the document is in the RFC editor queue so we’ll need AD approval for the change at this late date. Thanks Yoav > On 24 Oct 2017, at 16:22, Martin Rex <m...@sap.com> wrote: > > I just noticed a strange inconsistency in section 6 of > draft-ietf-tls-rfc4492bis-17 > > https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-17#section-6 > > The last of the "must implement 1 of these 4" list of cipher suites at > the end of section 6 is not contained in the table at the beginning of > section 6 above it (instead, it appears in rfc5289 only). > > I believe that the last ciphersuites should be changed (which will > provide consistence with the second list entry (the TLSv1.2 MTI cipher suite). > > > -Martin > > > +-----------------------------------------+----------------+ > | CipherSuite | Identifier | > +-----------------------------------------+----------------+ > | TLS_ECDHE_ECDSA_WITH_NULL_SHA | { 0xC0, 0x06 } | > | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x08 } | > | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x09 } | > | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x0A } | > | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | { 0xC0, 0x2B } | > | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | { 0xC0, 0x2C } | > | | | > | TLS_ECDHE_RSA_WITH_NULL_SHA | { 0xC0, 0x10 } | > | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x12 } | > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | { 0xC0, 0x13 } | > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | { 0xC0, 0x14 } | > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | { 0xC0, 0x2F } | > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | { 0xC0, 0x30 } | > | | | > | TLS_ECDH_anon_WITH_NULL_SHA | { 0xC0, 0x15 } | > | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | { 0xC0, 0x17 } | > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | { 0xC0, 0x18 } | > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | { 0xC0, 0x19 } | > +-----------------------------------------+----------------+ > > > Server implementations SHOULD support all of the following cipher > suites, and client implementations SHOULD support at least one of > them: > > o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > o TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > + o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > - o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls