At 5:43 AM -0800 1/28/97, David P. Kemp wrote: >It's true that "mix and match" CipherSuites are cause for concern and >need to be carefully analyzed. And, as Wagner&Schneier points out, >SSLRef 3.0b1 (a beta version) failed to include a check for the change >cipher suite message, which could cause a problem with >authentication-only CipherSuites but not with encrypted CipherSuites. >This was an implementation error, not a protocol specification error, >but I agree with W&S that the protocol specification should be changed >to be more resistant to implementation errors. BTW, that particular bug was fixed in SSLRef 3.0 final, and of course in SSL Plus. I suspect that there are a number of proprietary implementations that have similar bugs. Also, my belief is that the above "implementation" error will be covered when we release the new TLS draft. ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<ChristopherA@consensus.com> 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. ..Home of "SSL Plus: o510/559-1500 f510/559-1505.. .. SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..Received on Tuesday, 28 January 1997 11:24:42 EST
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:56 EDT