Re: [TLS] Keeping TLS extension points working

2016-07-25 Thread David Benjamin
On Mon, Jul 25, 2016 at 7:23 PM Viktor Dukhovni wrote: > On Mon, Jul 25, 2016 at 10:32:29PM +, David Benjamin wrote: > > > I'm not sure how this process usually works, but I would like to reserve > a > > bunch of values in the TLS registries to as part of an idea to

Re: [TLS] Keeping TLS extension points working

2016-07-25 Thread Viktor Dukhovni
On Mon, Jul 25, 2016 at 10:32:29PM +, David Benjamin wrote: > I'm not sure how this process usually works, but I would like to reserve a > bunch of values in the TLS registries to as part of an idea to keep our > extension points working. Here's an I-D: > >

Re: [TLS] Keeping TLS extension points working

2016-07-25 Thread David Benjamin
On Mon, Jul 25, 2016 at 6:32 PM David Benjamin wrote: > Hi folks, > > I'm not sure how this process usually works, but I would like to reserve a > bunch of values in the TLS registries to as part of an idea to keep our > extension points working. Here's an I-D: >

Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Benjamin Kaduk
If I remember/understand correctly, the cloudflare patch for chacha/poly would (when server preference is in use) only attempt to use it when it appeared first in the client's preference list, and would ignore it elsewhere. This could potentially lead to negotiation failures if, e.g., the server

Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Ilari Liusvaara
On Mon, Jul 25, 2016 at 04:36:27PM -0400, Viktor Dukhovni wrote: > > > On Jul 25, 2016, at 3:08 PM, Martin Rex wrote: > > > > specifically, after the FF update, this new TLS ciphersuite: > > > > security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 (0xcc, 0xa9) > > > > was the only

Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Viktor Dukhovni
> On Jul 25, 2016, at 3:08 PM, Martin Rex wrote: > > specifically, after the FF update, this new TLS ciphersuite: > > security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 (0xcc, 0xa9) > > was the only ECDSA cipher suite enabled in my Firefox 47.0.1, and this > kills connectivity (TLS

Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Viktor Dukhovni
> On Jul 25, 2016, at 3:08 PM, Martin Rex wrote: > > https://regmedia.co.uk/2015/07/14/giant_weta_mike_locke_flicker_cc_20.jpg FWIW, OpenSSL interoperates with this server: Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4169 bytes

Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Ilari Liusvaara
On Mon, Jul 25, 2016 at 09:08:49PM +0200, Martin Rex wrote: > I've just run into a weird interoperability problem with an (alleged) > cloudflare/nginx TLS server and my personal Firefox settings. > > https://regmedia.co.uk/2015/07/14/giant_weta_mike_locke_flicker_cc_20.jpg > > > Traditionally I

[TLS] weird ECDSA interop problem with cloudflare/nginx

2016-07-25 Thread Martin Rex
I've just run into a weird interoperability problem with an (alleged) cloudflare/nginx TLS server and my personal Firefox settings. https://regmedia.co.uk/2015/07/14/giant_weta_mike_locke_flicker_cc_20.jpg Traditionally I have all TLS ciphersuites with ECDSA disabled through about:config, but