On Mon, Jul 25, 2016 at 09:08:49PM +0200, Martin Rex wrote: > I've just run into a weird interoperability problem with an (alleged) > cloudflare/nginx TLS server and my personal Firefox settings. > > https://regmedia.co.uk/2015/07/14/giant_weta_mike_locke_flicker_cc_20.jpg > > > Traditionally I have all TLS ciphersuites with ECDSA disabled through > about:config, but it seems that recently two new TLS ciphersuites were > added to FF, which caused complete loss of interop with regmedia.co.uk > for me with my existing configuration. (Loss of pictures&media on the > www.theregister.co.uk news site). > > It looks like a bug in the cloudflare/nginx cipher suites selection > algorithm, which appears to blindly go for ECDSA, even though there is > no actual ECDSA cipher suite available which the server supports.
I recently (tried to) implement(ed) TLS 1.2 ciphersuite negotiation in a way that always negotiates something if at least one valid configuration exists, and respects TLS 1.2 rules. The resulting code was totally insane, and I am very much not surprised to see buggy implementations. Nor can I say my implementation is not buggy, as testing that mess is just about impossible (and it it will very much do GIGO in order to maximize interop). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
