ietf
[Top] [All Lists]

Re: [TLS] Last Call: <draft-ietf-tls-ssl2-must-not-03.txt>

2010-12-03 13:58:59
Glen Zorn wrote:

Martin Rex wrote:

Glen Zorn wrote: 

Maybe I just don't understand the word "use".  It seems like if a
server accepts a protocol message it's using the protocol...

With "negotiate" I meant returning a ServerHello handshake message with
that version number (neither an SSL 2.0 SERVER-HELLO, nor an SSLv3
ServerHello with a server version of { 0x02,0x00 }).

With "use" I meant to successfully complete the handshake and start
exchanging application data protected under protocol version
{0x02,0x00}.

Maybe you could spell these things out in the draft just as you have above?

I'm sorry, my explanations were misleading.  I explained what I meant
when I wrote these statements that ended up in the document.

  http://www.ietf.org/mail-archive/web/tls/current/msg07091.html

The author/editor of this I-D is Sean Turner.



The Server accepts the SSL 2.0 CLIENT-HELLO protocol data unit (PDU),
but not the SSL 2.0 protocol.  

I see.  Perhaps the distinction between PDU and "protocol" is just too
subtle for me, but assuming (maybe too generously ;-) that I'm not a total
moron, others might find it a little bit confusing as well.

I do agree that the "specification" part is extremely brief.
The best way to adjust this (as we are in IETF Last Call for this
document) is to propose a specific replacement/update text.  :)


The distinction is not so much about the difference between "PDU" and
"protocol", than it is about "active" and "passive" and the general
IETF principle of "Be liberal in what you accept, and conservative
in what you send".

So we don't want servers to "actively" (=send out) SSL 2.0 protocol,
but continue to be liberal in what they accept, e.g. "SSL 2.0 CLIENT-HELLO
as the first message of an SSLv3 or TLS handshake".  At least while
there is _no_known_ security problem associated with this particular
behaviour, because it improves interoperability with the installed
base.


-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf