Hi Gert,
Gert Doering wrote:
Hi,
On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote:
It should be possible to add negotiation without completely breaking
backwards compatibility; right now, when a server pushes an option to
the client that is unrecognized the client will print a warning but it
will not abort. This could be used to push a 'negotation request' - if
the client responds then a negotation phase can start , during which the
encryption key, hashing cipher, MTU settings etc can be negotiated. If
the client does not respond the server would need to assume that it's a
2.3 or older client.
Maybe I'm a bit naive, but since the data layer cipher is independent of
the TLS cipher anyway, can't we just "push cipher xxx"?
Or is push/pull crypted with the data layer cipher?
good question and one that I've asked myself as well - there seems to
be something funny going on with the data layer cipher (or auth parm) .
I remember that I tried making the cipher and auth settings pushable and
failed miserably. The flow of when and how the data cipher (and digest)
are set up seems to be complicated and may happen (partially) *before*
the options are pushed.
Perhaps someone else (JamesY?) can comment on this.
cheers,
JJK