Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-09 Thread Hubert Kario
On Thursday 09 June 2016 05:48:15 Peter Gutmann wrote: > Hubert Kario writes: > >The first one is: > >https://github.com/tomato42/tlsfuzzer > >and aims to be a comprehensive test suite > > Very nice, just setting it up now. One minor request, it'd be useful > to have a

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-08 Thread Hubert Kario
On Tuesday 07 June 2016 21:14:32 Andrei Popov wrote: > Jumping to the end of the thread, it looks like this is an FTP issue > that repros when TLS 1.2 is negotiated. Not a TLS version > intolerance. > The conclusion seems to be that > https://support.microsoft.com/en-us/kb/253 resolves the

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Dave Garrett
On Tuesday, June 07, 2016 05:08:00 pm David Benjamin wrote: > On Tue, Jun 7, 2016 at 5:06 PM Yoav Nir wrote: > > > On 7 Jun 2016, at 8:33 PM, Hubert Kario wrote: > > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: > > >> I’m not sure this helps. > > >>

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Andrei Popov
Jumping to the end of the thread, it looks like this is an FTP issue that repros when TLS 1.2 is negotiated. Not a TLS version intolerance. The conclusion seems to be that https://support.microsoft.com/en-us/kb/253 resolves the issue, by updating FTP binaries. Cheers, Andrei From: TLS

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread David Benjamin
On Tue, Jun 7, 2016 at 5:06 PM Yoav Nir wrote: > > > On 7 Jun 2016, at 8:33 PM, Hubert Kario wrote: > > > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: > >> I’m not sure this helps. > >> > >> I’ve never installed a server that is version intolerant.

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Yoav Nir
> On 7 Jun 2016, at 8:33 PM, Hubert Kario wrote: > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: >> I’m not sure this helps. >> >> I’ve never installed a server that is version intolerant. TLS stacks >> from OpenSSL, Microsoft, > > are you sure about that Microsoft

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Hubert Kario
On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote: > I’m not sure this helps. > > I’ve never installed a server that is version intolerant. TLS stacks > from OpenSSL, Microsoft, are you sure about that Microsoft part? there is quite a long thread on the filezilla forums about TLS version

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Yoav Nir
> On 7 Jun 2016, at 5:47 PM, Salz, Rich wrote: > >> I’m not sure this helps. > > I'm pretty sure it wouldn't help at all, for the reasons you list. Which isn’t to say it’s not worth doing. I’d love to test my implementation against a test suite rather than just making sure

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Salz, Rich
> I’m not sure this helps.  I'm pretty sure it wouldn't help at all, for the reasons you list. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Yoav Nir
I’m not sure this helps. I’ve never installed a server that is version intolerant. TLS stacks from OpenSSL, Microsoft, Java, and most any implementation we can name have been version tolerant forever. Certainly none of us can name any implementation that at any point had a version out that

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Hubert Kario
On Tuesday 07 June 2016 10:22:20 Kyle Rose wrote: > I'm a big fan of the idea of a very strict qualification suite, as > well, to try to head off some of these problems before (faulty) > implementations proliferate. > > Hackathon? I have two approaches I'm working on, they are missing a nice

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Kyle Rose
I'm a big fan of the idea of a very strict qualification suite, as well, to try to head off some of these problems before (faulty) implementations proliferate. Hackathon? Kyle On Jun 7, 2016 2:00 AM, "Peter Gutmann" wrote: > Dave Garrett

Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

2016-06-07 Thread Peter Gutmann
Dave Garrett writes: >Also, as with any new system, we now have the ability to loudly stress to TLS >1.3+ implementers to not screw it up and test for future-proofing this time >around. I think that's the main contribution of a new mechanism, it doesn't really matter