In message <am5pr0701mb265783557331e9b4355d0629e4...@am5pr0701mb2657.eurprd07.prod.outlook.com> on Sun, 15 Apr 2018 06:24:48 +0000, Bernd Edlinger <bernd.edlin...@hotmail.de> said:
bernd.edlinger> One possible example of application failure that I am aware of is #5743: bernd.edlinger> A certificate that is incompatible with TLS1.3 but works with TLS1.2. bernd.edlinger> Admittedly that I did come up with that scenario only because I saw bernd.edlinger> a possible issue per code inspection. This touches an issue that's already mentioned in Matt's blog, and I gotta ask how the protocols so be presented for negotiation are chosen (yes, I know, I could dive into the code... and I will unless there's a quick answer). Does libssl just pick the max version chosen (within the range that we support unless the application has narrowed it down), or does it also look at other facts, such as chosen server or client certs to see what protocol version range would actually work with those collected facts? #5743 seems to say that libssl doesn't look at such facts, and can end up in the absurd situation that things stop working because it selected TLSv1.3 over TLSv1.2 when the latter couldn't possibly work right, while TLSv1.2 does. I can't really say what's right or wrong in this case, this really is a philosophical question more than anything else. Is it all right to just pick a proto version that cannot work and then virtually flip it to the unsuspecting application that wasn't prepared with better data (such as a cert that's also valid in TLSv1.3) or is that essentially wrong, even though easier to deal with in code? Is that what libssl is doing, or does it have more of a "look at all the facts" approach before choosing the proto range to negotiate with the other end? Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project