Michael Tandy wrote:
We can enable it always, I think, just as what the EC extension do now. But
we need to consider a very small part of old servers which are not ready to
read any extension data field, so we might need a approach to disable all
extensions. Maybe adding a new system property to switch the extension is
not so bad . (Personally, I dislike using system property)
    

Well, for old servers people have the option to use the SSL v2 Hello,
in which case the extensions don't get sent.
  
Good point. But for FIPS-140 compliant. TLS1.0 should be used, SSL v2 Hello will not be used in a FIPS validated environment.
Do you think it's likely a server would require SSL3 or TLS, but
wouldn't support hello extensions?
  
Yes, I do remember that some of the current ssl/tls servers may refuse to accept connections from a client that used TLS extensions. Please refer to [1] and [2].

Thanks,
Andrew

[1]: http://blogs.msdn.com/ie/archive/2006/04/17/577702.aspx
[2]: http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx


Reply via email to