On Tue, 2014-10-21 at 01:40 +0200, Kai Engert wrote:
On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote:
Do you claim that Firefox 34 will continue to fall back to SSL 3 when
necessary?
Yes. If I understand correctly, it seems that Firefox indeed still falls
back to SSL3, even with SSL3
- Original Message -
From: Julien Pierre julien.pie...@oracle.com
To: mozilla's crypto code discussion list
dev-tech-crypto@lists.mozilla.org
Sent: Tuesday, 21 October, 2014 1:59:44 AM
Subject: Re: Proposal: Disable SSLv3 in Firefox ESR 31
Kai,
On 10/20/2014 16:47, Kai Engert
* Julien Pierre:
The whole TLS_FALLBACK_SCSV would be unnecessary if not for this
browser misbehavior - and I hope the IETF will reject it.
Technically, we still need the codepoint assignments from the IETF
draft because of their widespread use, and that requires Standards
Action, which means
So, let's get this clarified with test results.
I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current
Firefox 34 beta 1 still has SSL3 enabled.
With this current default configuration (SSL3 enabled), Firefox will
fall back to SSL3.
Then I used
* Kai Engert:
When attempting to connect to a SSL3-only server,
Which is now treated as version-intolerant, it seems.
I see Firefox 34 attempting three connections, with TLS 1.2 {3,3},
TLS 1.1 {3,2} and TLS 1.0 {3,1}, but not SSL3.
This still shows the fallback attempts, to TLS 1.0 even,
--On October 20, 2014 16:43:01 -0700 Julien Pierre julien.pie...@oracle.com
wrote:
Hubert,
On 10/20/2014 05:10, Hubert Kario wrote:
So I went over the https://wiki.mozilla.org/Security/Server_Side_TLS
article with a bit more attention to detail and I think we should
extend it in few places.
Hubert,
On 10/21/2014 05:06, Hubert Kario wrote:
Yes, it's external to the TLS, and yes, it's bad that browsers do use
the manual fallback. Yes, the servers should be regularly updated and
as such bugs that cause it fixed. Yes, the configurations should be
updated to align them with current
Florian,
On 10/21/2014 06:38, Florian Weimer wrote:
I still think the fallback behavior you have shown is a browser bug,
and should be fixed there, but its removal. There seems to be rather
vehement disagreement, but I don't get way.
+1 , any fallback is a bug. SSL has built-in protocol
Chris,
On 10/21/2014 11:43, Chris Newman wrote:
At this point, the OpenSSL-style cipher suite adjustment string has become a
de-facto standard. So I believe NSS should be modified to follow that de-facto
standard rather than expecting those writing security advice to do extra work:
Kai,
On 10/21/2014 05:31, Kai Engert wrote:
So, let's get this clarified with test results.
I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current
Firefox 34 beta 1 still has SSL3 enabled.
With this current default configuration (SSL3 enabled),
Florian,
On 10/21/2014 05:24, Florian Weimer wrote:
* Julien Pierre:
The whole TLS_FALLBACK_SCSV would be unnecessary if not for this
browser misbehavior - and I hope the IETF will reject it.
Technically, we still need the codepoint assignments from the IETF
draft because of their widespread
On 2014-10-21 19:20, Julien Pierre wrote:
I wasn't even specifically referring to cipher strings, but the whole
document seems to be about servers running OpenSSL, though I did see
a
few references to GnuTLS as well.
There are also servers running NSS, Microsoft SSL stacks, proprietary
SSL
12 matches
Mail list logo