- From: Christopher Allen <ChristopherA@consensus.com>
- Date: Tue, 28 Jan 1997 08:14:36 -0800
- To: dpkemp@missi.ncsc.mil (David P. Kemp)
- Cc: ssl-talk@netscape.com, ietf-tls@www10.w3.org
At 5:43 AM -0800 1/28/97, David P. Kemp wrote: >It's true that "mix and match" CipherSuites are cause for concern and >need to be carefully analyzed. And, as Wagner&Schneier points out, >SSLRef 3.0b1 (a beta version) failed to include a check for the change >cipher suite message, which could cause a problem with >authentication-only CipherSuites but not with encrypted CipherSuites. >This was an implementation error, not a protocol specification error, >but I agree with W&S that the protocol specification should be changed >to be more resistant to implementation errors. BTW, that particular bug was fixed in SSLRef 3.0 final, and of course in SSL Plus. I suspect that there are a number of proprietary implementations that have similar bugs. Also, my belief is that the above "implementation" error will be covered when we release the new TLS draft. ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. ..<ChristopherA@consensus.com> 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. ..Home of "SSL Plus: o510/559-1500 f510/559-1505.. .. SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..
Received on Tuesday, 28 January 1997 11:24:42 UTC