Update

Matt Caswell matt at openssl.org
Mon May 20 22:20:52 UTC 2019



On 20/05/2019 20:01, Kurt Roeckx wrote:
> On Mon, May 20, 2019 at 10:21:45AM -0700, Paul Yang wrote:
>>
>> The Chinese modified TLS protocol is not intended to interoperate with any other TLS protocols. The cipher suites defined in this protocol should not be used with the standard IETF TLS. So I guess what Matt said would be feasible to do. But in reality, users may want to have a combination of both IETF TLS and Chinese TLS together when he launches a TLS server or client, to have the auto-selection functionality if a TLS client comes in. So the way of implementation would be tricky...
> 
> So I think there are 3 options:
> - You use TLS, not some Chinese variant, and add things like Chinese
>   ciphers to it.

That would be fine but my understanding is that the Chinese government mandate
this particular Chinese variant in some situations - so we'd also have to change
government policy which doesn't seem very likely ;-)

> - Use something that's not TLS at all, a Chinese variant, and
>   don't support both protocols on the same port.

If we decide to add support for the Chinese variant, then this would be my
preferred way of doing it.

> - Support both on the same port. This will require coordination
>   with IANA and/or IETF.

I'd be opposed to this last option without IANA/IETF being on board. By doing so
we are effectively no longer compliant with IETF TLS since we're using certain
codepoints and version numbers to mean things that IETF/IANA have no visibility
of, i.e. we would be doing exactly what Rich was worried about. I don't see
IANA/IETF doing this anytime soon.

Matt



More information about the openssl-project mailing list