Yo Richard! On Sat, 2 Feb 2019 17:55:22 -0600 Richard Laager via devel <devel@ntpsec.org> wrote:
> On 2/2/19 3:06 PM, Gary E. Miller via devel wrote:
> >>
> >> We have a min option.
> > As previously discussed her. A min options was tried by others in
> > the past, and failed. When SSL 2 gave way to TLS 1, the min
> > broke.
>
> Huh? What's the problem here?
The problem is SSL version 2 is not a number. So we can't encode the
minimum as a number. It has to be a token.
Or, to look another way, the OpenSSL function we call takes a token, not
a number, to allow for name changes. Since we have to get to that, why
not start there?
> The epoch in renumbering from SSL 2 & 3
> to TLS 1.0?
Yup. We got bit by that last time. Don't get bit by it next name
change. OpenSSL knows this, that is why the specify min with a token,
not a number. We have to turn the number into a token, why not start
with a token?
> At this point, a minimum TLS version seems perfectly
> reasonable.
Yes, but soon, when TLS 1.2 is replaced with XXX 1.0, it is no longer
reasonable. The same mess That happened from SSL to TLS, all over
again.
> So is a list of versions, but a minimum is simpler.
Yes, IFF the minimum is a token, not a number. But, we then need a
maximum, so we can both do testing, and have a way to talk to servers
with broken TLS 1.3.
So, flip a coin: min/max, or list. Similar results, but the latter is
what Apache and others do, so is more familiar to the admin.
You just can't use a number.
These are all lessons from the past, let us not repeat those mistakes.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpM2muwJ4Rp5.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
