From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 26932 invoked from network); 25 Jan 2023 17:31:52 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 25 Jan 2023 17:31:52 -0000 Received: from mail-ej1-f51.google.com ([209.85.218.51]) by 9front; Wed Jan 25 12:30:34 -0500 2023 Received: by mail-ej1-f51.google.com with SMTP id ud5so49649281ejc.4 for <9front@9front.org>; Wed, 25 Jan 2023 09:30:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=56BLrqxof2+8ESjC5d9Il+OqmSn/VejI4TmAZ04v6V8=; b=CExztbVsmrbj5mI4smHpVUScZDTrNW5u0mVrqpLyV4lg63NUVvOZLDd/tU19caeLSM bNIyzhSduGEVenFoieo7yI8ddvWn9zJ1hbiZiySgpC/4M/7yGJF4KpEJu6B1nzcwkxtt geWx4D5FdmTb6VOowI2H//7zmGXdCGe8ozSVuAaWB3kYNjEIYFmSbtgQNJLS0Fzx4LeI 8ij6z2HejSeTUxC60RNiXWYwODI/s/CetPWJ4uSHPbtF9UTm3oJd7SPongJQ/hMvXn4b vloJL9FFFo3YYvKa7ylptrYp2BXqTCmLkXenuXf7TXIWE7ySKClet/PiKV+ZO6oi6wPo lFfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=56BLrqxof2+8ESjC5d9Il+OqmSn/VejI4TmAZ04v6V8=; b=ZmzLZWFrWPI88nG8aB071Rcud7IauzW7f2wK4CXRmDj3mMW7Qth70lCuTZroNtOAK6 2MdrTtVxnM/KR9Qx8+EH767hHDQqK+QcgRQLC1jncZ0B83vSSXu7/+PEPTLpZqhZPrLD 13XbXXejkjFR8TK4Xt2f5TLxO/9WQm2BvRZy2uMjappQU1qK37ZHzvpKrAhGDftR20QA NZn/lTPc/Sk9egBV02my4Oq9wJ5Lqx7PYHFxD2YYqsZ+glh4CCKV94O0foIC7hoYzYkk xCBlVbfDxcnZ24AV0OF3nKRmkPLjTZEnY4AD7suOqmdyttKigLgYxu1YOTdilPvCR8No 4PRA== X-Gm-Message-State: AFqh2kqMS285v3hobvutNiYB1KoE/OIoC/+8lyynOoaJTZW4HsMTW73u NiDio0JOZVeDT1OOIgkiNr5NKIFCy/niXnE+UgBCXD3n9LM= X-Google-Smtp-Source: AMrXdXspJgd+Db5+Y+5qnw7b3jAP1tjJ3G+HNVSzzxY+DEbVo2ADtKI6mUwWf9n+pOajybmBv6swwxlZjvrAvoqG2xA= X-Received: by 2002:a17:906:1946:b0:870:e329:5f3b with SMTP id b6-20020a170906194600b00870e3295f3bmr4132000eje.255.1674667829950; Wed, 25 Jan 2023 09:30:29 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a05:7208:459d:b0:61:3d4f:f307 with HTTP; Wed, 25 Jan 2023 09:30:29 -0800 (PST) In-Reply-To: References: <87988F72F1C2D20B16DE8DA47FB8C262@alice> From: kemal Date: Wed, 25 Jan 2023 17:30:29 +0000 Message-ID: To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: managed extended JSON over ActivityPub component-scale rich-client deep-learning CSS frontend Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension Reply-To: 9front@9front.org Precedence: bulk 2023-01-25 17:18 GMT, hiro <23hiro@gmail.com>: > well i know thats not the case. tls 1.3 downgrade attacks are always > possible atm. > what i wasnt sure is if downgrades to tls1.1 are still possible in > practice. > i was just hoping that maybe one could save some effort and skip a > version, but i guess not. > and anyway dragons are lurking in tls1.3, too. > yes, you're right, tls1.3 definitely has vulns. it's just that no downgrade attack is known, but someone may find one :) downgrading to tls 1.1 wouldn't help, afaik the extension can be used with 1.0-1.2 so openssl probably checks for the extension in those versions too. even if we tried to, the tls 1.3 spec mandates that the highest supported version must be stated as 1.2, and 1.3 support stated in a new extension. so i think we can't downgrade the handshake to 1.1 or 1.0.