On 23 September 2016 at 00:47, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
>> I see your point here. However, where would you draw the line between "I 
>> can't" and "I don't want to"? Think of a cipher suites list with 3 bytes in 
>> a ClientHello. You can still find one cipher suite that could be ok to work 
>> with. However, how can you trust the first two bytes if you find that third 
>> byte telling you something's abnormal?
> The server tries that first cipher, if mutually supported, and if it
> works, it guessed right.  If the finished message from the server is
> valid, the client's handshake as seen by the server was presumably
> exactly what the client sent, so the client gets what it paid for...
> Servers don't have to be that forgiving, but it is a plausible approach.

Another view on this (web view):

Why a server would tolerate rubbish and all the associated complexity,
when none of the users it cares about produce that sort of drivel is
beyond me.

TLS mailing list

Reply via email to