[openssl-project] Potentially bad news on TLS 1.3 compatibility (sans SNI)

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 18 15:05:05 UTC 2018



> On Apr 18, 2018, at 10:43 AM, Andy Polyakov <appro at openssl.org> wrote:
> 
> It can either be a probe just to see if it's reasonable to demand it, or
> establish a precedent that they can refer to saying "it was always like
> that, *your* application is broken, not ours." Also note that formally
> speaking you can't blame them for demanding it. But you can blame them
> for demanding it wrong. I mean they shouldn't try to communicate through
> OU of self-signed certificate, but by terminating connection with
> missing_extension alert, should they?

What I can blame them for is being counter-productively pedantic. Forget the RFC language, does what they're doing make sense and improve security or is it just a pointless downgrade justified by RFC text lawyering?

-- 
	Viktor.



More information about the openssl-project mailing list