On Wednesday 22 October 2014 15:54:57 Julien Pierre wrote:
Hubert,
On 10/22/2014 05:27, Hubert Kario wrote:
Problem is that if something doesn't work in one browser and does in
another users blame the browser. Even if the browser that doesn't work
does the right thing.
What if all
Hubert,
On 10/23/2014 07:53, Hubert Kario wrote:
Are there phone/tablets which can't install any 3rd party browsers at all ?
AFAIK, iOS devices require you to use the system TLS stack.
I see, I didn't know.
But it still would seem that any second connection (fallback) would be
dictated by
On Tuesday 21 October 2014 16:10:52 Julien Pierre wrote:
Hubert,
On 10/21/2014 05:06, Hubert Kario wrote:
Yes, it's external to the TLS, and yes, it's bad that browsers do use
the manual fallback. Yes, the servers should be regularly updated and
as such bugs that cause it fixed. Yes, the
Hubert,
On 10/22/2014 05:27, Hubert Kario wrote:
Problem is that if something doesn't work in one browser and does in another
users blame the browser. Even if the browser that doesn't work does the right
thing.
What if all browsers started doing the right thing ?
Recommending the use of
On Tue, 2014-10-21 at 01:40 +0200, Kai Engert wrote:
On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote:
Do you claim that Firefox 34 will continue to fall back to SSL 3 when
necessary?
Yes. If I understand correctly, it seems that Firefox indeed still falls
back to SSL3, even with SSL3
- Original Message -
From: Julien Pierre julien.pie...@oracle.com
To: mozilla's crypto code discussion list
dev-tech-crypto@lists.mozilla.org
Sent: Tuesday, 21 October, 2014 1:59:44 AM
Subject: Re: Proposal: Disable SSLv3 in Firefox ESR 31
Kai,
On 10/20/2014 16:47, Kai Engert
* Julien Pierre:
The whole TLS_FALLBACK_SCSV would be unnecessary if not for this
browser misbehavior - and I hope the IETF will reject it.
Technically, we still need the codepoint assignments from the IETF
draft because of their widespread use, and that requires Standards
Action, which means
So, let's get this clarified with test results.
I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current
Firefox 34 beta 1 still has SSL3 enabled.
With this current default configuration (SSL3 enabled), Firefox will
fall back to SSL3.
Then I used
* Kai Engert:
When attempting to connect to a SSL3-only server,
Which is now treated as version-intolerant, it seems.
I see Firefox 34 attempting three connections, with TLS 1.2 {3,3},
TLS 1.1 {3,2} and TLS 1.0 {3,1}, but not SSL3.
This still shows the fallback attempts, to TLS 1.0 even,
Hubert,
On 10/21/2014 05:06, Hubert Kario wrote:
Yes, it's external to the TLS, and yes, it's bad that browsers do use
the manual fallback. Yes, the servers should be regularly updated and
as such bugs that cause it fixed. Yes, the configurations should be
updated to align them with current
Florian,
On 10/21/2014 06:38, Florian Weimer wrote:
I still think the fallback behavior you have shown is a browser bug,
and should be fixed there, but its removal. There seems to be rather
vehement disagreement, but I don't get way.
+1 , any fallback is a bug. SSL has built-in protocol
Kai,
On 10/21/2014 05:31, Kai Engert wrote:
So, let's get this clarified with test results.
I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current
Firefox 34 beta 1 still has SSL3 enabled.
With this current default configuration (SSL3 enabled),
Florian,
On 10/21/2014 05:24, Florian Weimer wrote:
* Julien Pierre:
The whole TLS_FALLBACK_SCSV would be unnecessary if not for this
browser misbehavior - and I hope the IETF will reject it.
Technically, we still need the codepoint assignments from the IETF
draft because of their widespread
On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote:
Do you claim that Firefox 34 will continue to fall back to SSL 3 when
necessary?
Yes. If I understand correctly, it seems that Firefox indeed still falls
back to SSL3, even with SSL3 disabled.
I found
Kai,
What is the purpose of Firefox continuing to do any fallback at all ?
IMO, making a second connection with any lower version of SSL/TLS
defeats the intent of the SSL/TLS protocol, which have built-in defenses
against protocol version downgrade.
Isn't it time this fallback gets eliminated
On Mon, 2014-10-20 at 16:45 -0700, Julien Pierre wrote:
What is the purpose of Firefox continuing to do any fallback at all ?
IMO, making a second connection with any lower version of SSL/TLS
defeats the intent of the SSL/TLS protocol, which have built-in defenses
against protocol version
On Tue, 21 Oct 2014 01:40:45 +0200
Kai Engert k...@kuix.de wrote:
On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote:
Do you claim that Firefox 34 will continue to fall back to SSL 3 when
necessary?
Yes. If I understand correctly, it seems that Firefox indeed still falls
back to SSL3,
On Thu, 2014-10-16 at 10:31 -0700, Richard Barnes wrote:
By now, you've probably heard about the POODLE attacks on SSLv3, and
our decision to disable SSLv3 by default in Firefox 34 [1]. Several
people have proposed that we also make this change in Firefox ESR 31.
So I wanted to propose
* Richard Barnes:
If there are any objections or comments on that proposal, please
raise them in this thread.
A lot of this has already been hashed out on the IETF TLS WG mailing
list, with a slightly different perspective.
Why is disabling SSL 3.0 acceptable, but getting rid of the broken
On Thu, 2014-10-16 at 20:27 +0200, Florian Weimer wrote:
A lot of this has already been hashed out on the IETF TLS WG mailing
list, with a slightly different perspective.
Why is disabling SSL 3.0 acceptable, but getting rid of the broken
fallback which will keep endangering users for a long
On Thu, 16 Oct 2014 20:27:24 +0200
Florian Weimer f...@deneb.enyo.de wrote:
* Richard Barnes:
If there are any objections or comments on that proposal, please
raise them in this thread.
A lot of this has already been hashed out on the IETF TLS WG mailing
list, with a slightly different
* Reed Loden:
On Thu, 16 Oct 2014 20:27:24 +0200
Florian Weimer f...@deneb.enyo.de wrote:
* Richard Barnes:
If there are any objections or comments on that proposal, please
raise them in this thread.
A lot of this has already been hashed out on the IETF TLS WG mailing
list, with a
Florian,
On 10/16/2014 12:50, Florian Weimer wrote:
Neither. I'm talking about the out-of-protocol insecure version
negotiation for TLS implemented in Firefox. That's a broader scope
than bug 689814, which is strictly about fallback to SSL 3.0.
+1
This fallback needs to get removed,
23 matches
Mail list logo
