On Tue, Jan 27, 2009 at 05:20:30PM -0500, Jeffrey Hutzelman wrote: > --On Tuesday, January 27, 2009 10:51:59 PM +0100 Jan Pechanec > <Jan.Pechanec at Sun.COM> wrote: > > however, we keep all modes on the client side for backward > > compatibility. That's where we saw all the real problems, not on the > > server side. > > Interesting. We only saw one case where people had problems due to a > client with the new configuration trying to talk to a server that only > supported CBC mode ciphers. We saw many more problems due to servers > picking up the new configuration and becoming inaccessible to people with > clients supporting only CBC-mode ciphers. Unfortunately, it's not always > realistic to tell those people to upgrade their clients; there are a _lot_ > of clients which don't support other ciphers in any version, and a lot of > situations in which switching to a different client isn't feasible.
We saw old Solaris 9 servers causing problems for people with new clients. Perhaps we really can do no better than to move CBC ciphers to the rear of the client list. Nico --
