On Mar 13, 2018, at 6:16 PM, Russ Housley <hous...@vigilsec.com> wrote:
> This is a bogus argument.
I'm pretty sure there's a Monty Python skit about this, so I won't belabor the
> First, staying with an old protocol version often leads to locking in
> unmaintained versions of old software.
Right, that's one of the stated goals of this work: to be able to continue to
use software that the operator can't upgrade.
> Second, using TLS1.2 does not technically address the issue. If the client
> were to exclusively offer DHE-based ciphersuites, then the visibility
> techniques that have been used in the past are thwarted.
The client in this case is under the control of the operator, so this is a
TLS mailing list