On Tuesday, 13 March 2018 23:16:47 CET Russ Housley wrote: > Ted: > > There's an easy way to do this, although as a sometime bank security geek > > I would strongly advise you to not do it: keep using TLS 1.2. > This is a bogus argument. First, staying with an old protocol version often > leads to locking in unmaintained versions of old software.
this is simply not true, the newest versions of OpenSSL, NSS, GnuTLS and schannel allow you to disable TLS 1.2 and TLS 1.1 protocol support to effectively only support TLS 1.0! if your vendor can't implement that feature, I can hardly call such software "maintained" in the first place > Second, using TLS1.2 does not technically address the issue. If the client > were to exclusively offer DHE-based ciphersuites, then the visibility > techniques that have been used in the past are thwarted. sorry, but this is a complete non-sequitur; that client behaviour has nothing to do with TLS 1.3 existence or the way it works -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
