Re: Handling NULL key exchange for NULL_ ciphersuite

There is an argument that says that TLS_NULL_WITH_NULL_NULL should
definitely be implemented in production TLS implementations.  It is useful
for troubleshooting.  Presumably such an implemenation would employ
warnings, blinking lights, sirens, loud warnings, extra user prompts, or
whatever it takes to ensure it was only used for testing.

This is the Internet, and this is the IETF.  We're supposed to be
interested in realistic deployable systems.  It should be possible for a
bunch of smart people to build field-maintainable systems, using
technologies such as TLS_NULL_WITH_NULL_NULL, in a safe and productive manner.

(OK, all the crypto experts in the room can yell at me now.  I'm ready!)

>Ned Smith wrote:
>> What is the correct way to interpret handling of the NULL ciphersuite
>> for key exchange?
>> The TLS spec (excerpts provided below) appears to be vague in its
>> description of how key exchange handling is done if the NULL
>> ciphersuite is negotiated. I don't recall seeing any statement
>> indicating it is illegal to negotiate a NULL ciphersuite. My
>> assumption is the NULL ciphersuite could be negotiated anytime it is
>> legal to negotiate any other ciphersuite (its regular).
>I assume you mean TLS_NULL_WITH_NULL_NULL.  Although the spec does not
>explicitly forbid negotiating to this cipher suite, it should.  If an
>implementation allows negotiation to this cipher suite, it is open to
>a rollback attack.
>You should only break rules of style if you can    | Tom Weinstein
>coherently explain what you gain by so doing.      |

Rodney Thayer <>
PGP Fingerprint: BB1B6428 409129AC  076B9DE1 4C250DD8

Received on Friday, 31 January 1997 09:55:27 UTC