On Tue, Jul 14, 2015 at 08:06:19PM +0000, Andrei Popov wrote:
> If opportunistic TLS handshakes need to be indistinguishable from
> server-authenticated TLS handshakes, then perhaps opportunistic clients
> have no choice but to send the signature_algorithms extension (when offering
> TLS1.2). The absence of signature_algorithms in a TLS 1.2 ClientHello can
> be used as a signal by the MITM.
Nobody is suggesting that opportunistic clients employ the extension
in question differently from other clients. The proposal under
discussion is about how servers respond when their certificate
chain is not unequivocally compatible.
Correct server behaviour is to return some sort of chain, and let
the client decide.
TLS used by opportunistic TLS clients, largely looks the same as
TLS used by other clients, except that anon_DH may be offered,
which has little bearing on the signature algorithms extension.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
