Re: [TLS] Proposal for hybrid solution using most of the ideas

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Dr Stephen Henson <lists at drh-consultancy.demon.co.uk>
Date: Thu, 19 Nov 2009 12:41:25 +0000
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B04F92A.8050903 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72AB6FD.670D%stefan at aaa-sec.com> <4B04F92A.8050903 at extendedsubset.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Marsh Ray wrote:
> Stefan Santesson wrote:
>> What I don't understand is the rationale for providing two solutions, when
>> one solution could work for all cases.
> 
> TLS can support a nice, clean, efficient solution going forward.
> 
> SSLv3 needs an ugly dirty hack, no way around it.
> 

That's would work if you are only using TLS or know a server supports TLS in
advance.

What browsers and many libraries (including OpenSSL) do in the first place is to
send an initial "version discovery" SSLv3 compatible client hello (or even
SSLv2) with the version number set to the maximum number of SSL/TLS supported.
The reply then indicates the version of SSL/TLS supported. Until that point you
don't know what the server supports. So the connection can end up talking TLS
v1.2 even though it initially sent and SSLv3 compatible client hello.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson at drh-consultancy.co.uk, PGP key: via homepage.

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Marsh Ray

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Marsh Ray

Prev by Date: Re: [TLS] Need for S->C signaling
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.