Update

Paul Yang yang.yang at baishancloud.com
Mon May 20 17:21:45 UTC 2019



> On May 20, 2019, at 07:49, Matt Caswell <matt at openssl.org> wrote:
> 
> 
> On 20/05/2019 15:23, Salz, Rich wrote:
>>>   I don't see it that way. As I understand it this is a completely different
>>    protocol to standard TLS.
>> 
>> That's an interesting point, but ... they use the SSL "name."
> 
> Which isn't even an IETF name...the IETF call it TLS ;-)
> 
>>> It is not intended to interoperate with it in any way.
>> Is that true?  I didn't look closely at the protocol changes, but maybe you're right.  On the other hand, if so, then why keep the existing IETF numbers?
> 
> 
> That was my understanding.
> 
> But perhaps Paul Yang can confirm?

The Chinese modified TLS protocol is not intended to interoperate with any other TLS protocols. The cipher suites defined in this protocol should not be used with the standard IETF TLS. So I guess what Matt said would be feasible to do. But in reality, users may want to have a combination of both IETF TLS and Chinese TLS together when he launches a TLS server or client, to have the auto-selection functionality if a TLS client comes in. So the way of implementation would be tricky...

Another problem we are still facing nowadays is actually there *would* even be interoperability issues between Chinese TLS implementations (as we discussed earlier in Vancouver). The GM/T 0024 is not very strict and clear on several details in the protocol thus implementations have freedom to be diverse. So if OpenSSL finally picks up the Chinese TLS, we probably need to make sure the implementation should be widely tested against most Chinese TLS implementations. As what Tim has asked at: https://github.com/openssl/openssl/pull/8910#issuecomment-491964656 <https://github.com/openssl/openssl/pull/8910#issuecomment-491964656>
> 
>>>   As a completely different protocol they can use whatever codepoints they want to
>>    use as they see fit - and there is no conflict with IETF specifications.
>> 
>> If you are correct, then yes I agree.  But that makes any OpenSSL integration that much harder, doesn't it?  Would the project take on the work of making things like the apps and tests work?  In particular, a new global flag saying "tnssl" (or such), and failing to interop with existing TLS, checking the modified cipher suites (and disallowing them for real TLS), etc.
>> 
>> 
> Yes, we would have to take care that the two really are separate.
> 
> Matt
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20190520/ee4b2104/attachment.html>


More information about the openssl-project mailing list