Brian,
On 10/18/2011 14:42, Brian Smith wrote:
There is one known regression.
Do you mean one separate from the SSL 2.0 change, and BEAST ? If so,
which one ?
Also, the BEAST workaround is an incompatible change for some applications.
From what I have read of the BEAST workaround discussion, it breaks
certain older existing SSL servers, notably some of Oracle's servers
(not NSS based servers). But this only affects client code.
The reverse BEAST code change is is on the server side too. Do we know
that it breaks any old browsers ?
I'm more concerned about server side. My understanding is that the BEAST
workaround doesn't really help a server app. It is the client that
really needs to be patched for the specific exploit. The server cannot
really prevent the exploit with an SSL/TLS stack fix. The server-side
code change would help only if someone create a theoretical reverse
BEAST type of exploit.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
