Paul Yang yang.yang at baishancloud.com
Wed May 22 02:09:44 UTC 2019

> On May 21, 2019, at 06:20, Matt Caswell <matt at openssl.org> wrote:
> On 20/05/2019 20:01, Kurt Roeckx wrote:
>> On Mon, May 20, 2019 at 10:21:45AM -0700, Paul Yang wrote:
>>> The Chinese modified TLS protocol is not intended to interoperate with any other TLS protocols. The cipher suites defined in this protocol should not be used with the standard IETF TLS. So I guess what Matt said would be feasible to do. But in reality, users may want to have a combination of both IETF TLS and Chinese TLS together when he launches a TLS server or client, to have the auto-selection functionality if a TLS client comes in. So the way of implementation would be tricky...
>> So I think there are 3 options:
>> - You use TLS, not some Chinese variant, and add things like Chinese
>>  ciphers to it.
> That would be fine but my understanding is that the Chinese government mandate
> this particular Chinese variant in some situations - so we'd also have to change
> government policy which doesn't seem very likely ;-)

You are right. There is currently no official Chinese national standards that define cipher suites for IETF TLS yet.

>> - Use something that's not TLS at all, a Chinese variant, and
>>  don't support both protocols on the same port.
> If we decide to add support for the Chinese variant, then this would be my
> preferred way of doing it.
>> - Support both on the same port. This will require coordination
>>  with IANA and/or IETF.
> I'd be opposed to this last option without IANA/IETF being on board. By doing so
> we are effectively no longer compliant with IETF TLS since we're using certain
> codepoints and version numbers to mean things that IETF/IANA have no visibility
> of, i.e. we would be doing exactly what Rich was worried about. I don't see
> IANA/IETF doing this anytime soon.
> Matt

More information about the openssl-project mailing list