Hi, On Tue, 3 Oct 2017 17:36:03 +0000 "Salz, Rich via openssl-dev" <openssl-dev@openssl.org> wrote:
> Tests run by various companies, including Google, Mozilla, and > Facebook, indicate that the “failure rate” of TLS 1.3 is disturbingly > high. It appears that network hardware such as routers, gateways, > load balancers and the like, are blocking TLS 1.3 packets because > they don’t recognize the protocol. They are doing “fail closed” and > block the connections because they don’t understand it, rather than > assuming it’s safe to forward. The IETF often uses the term > “middlebox” to describe such hardware that operates between > endpoints, and this type of behavior that blocks new protocols as > “ossificiation.” The various companies, and no doubt others, are > trying experiments to tweak the protocol to lower the failure rate. > For example, in some circumstances it might be acceptable to make a > TLS 1.3 message look like a TLS 1.2 message (after you’ve already > committed to doing TLS 1.3). So I heard chatter about this, but not much details. Which I find unfortunate and a bit disturbing. (I'm aware of a single case with bluetooth HW, but this sounds like this is much more common.) Can the people involved in these Tests please speak up what's going on here? Particularly can you please name vendor names? And quite frankly I think we need to have a discussion about those vendors. They're harming the Internet and they shouldn't be able to do so without consequences. TLS 1.3 is already built to workaround broken middleboxes (the whole new version negotiation and GREASE approach), yet it doesn't seem to help. If I may dream I'd like to see a situation where large TLS-friendly players (thinking Google, Cloudflare etc.) speak up and say that in the future they'll boycott vendors that deploy such Internet-breaking devices. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev