From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 21027 invoked from network); 25 Jan 2023 16:44:40 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 25 Jan 2023 16:44:40 -0000 Received: from mail-vs1-f54.google.com ([209.85.217.54]) by 9front; Wed Jan 25 11:40:03 -0500 2023 Received: by mail-vs1-f54.google.com with SMTP id 3so20306212vsq.7 for <9front@9front.org>; Wed, 25 Jan 2023 08:39:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Tax/2PzRY5AmuXv0bH9eQYsqdsCVtm6wclKAw6DD2gE=; b=GmQwxLiZ62QxhAr9Sz+rVa2WvQ2PvVYlzgAn38o0MzkdOrY5H+1gDTQP7mzqWFTwoe QIK7wu5pEocd+sYJfPi+XWEk+BPnpLBGSlvrVVUej+AQc/9G5Vu1NPBtLs/DMJEHUjs/ Wi34kcFp9Jz9lmwXD59hn7WB/R6fvHivV82++GwoxI6wPygUucHZil7zvmnhDT2lJbQv fOrd5jxkIzFzH8fPEtxMIcmUvIdDEQIT2KXQsK8mRYeVnoUvn+yUQNzbPKfxJmt0GWP6 PrOgzLFGlwdNw//F5nGaoHdUB25uclb0mPqssBCemQjd68dMiWs9SoGykFkU6R/vou02 8UbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Tax/2PzRY5AmuXv0bH9eQYsqdsCVtm6wclKAw6DD2gE=; b=3qxxQsAaz7u8yPfZm0tOQMNRYO/vLcS0bYcQRuyeXZnUPjxTQ66FhHhcAqlJgrakLW VraQ78pmnp1vsmexD39qefvY4AEvvRY93+PetzhAZadDK5rWsYont6bV0ofzkki4gCax zjisGA+oMSBC3gLsbgVKeqhMzAq0rw6jXfXbjoi37c2vTTfm5uuRZZr7fO9FqaimatSi je8JVZT/bo38QEe2L2G5Aw7Kqz+LyDjgZMdht1y2p4wXabXgo0s/+H4QDkH1nnyRH065 FG8BNwS+iiBr5e00AVmIrcZ3xg+bZdPLyy/ttfCZi9pNFVwuFIxZbD9JA9XGWhUBVgrH Ly6Q== X-Gm-Message-State: AFqh2kpL8jzaO5JbbMvOArUpj6Put+j7lJoQik1D3NWLprpaPcOTt8xs Xe+SQFQ1kosuBP3FnpKDMqPCNlNFYjO8yQCEgsI6fZK/bp8= X-Google-Smtp-Source: AMrXdXvyEE9LBwoVjIvoDPsId33aZxOzRZLUoTAHd6mNbHSZskCsxfA2tk3ScHNEz5mB7l7AryB+kSlAX4sfpkGKU3o= X-Received: by 2002:a05:6102:2267:b0:3d1:d27b:3bc6 with SMTP id v7-20020a056102226700b003d1d27b3bc6mr4291341vsd.52.1674664799451; Wed, 25 Jan 2023 08:39:59 -0800 (PST) MIME-Version: 1.0 Received: by 2002:ab0:5a66:0:0:0:0:0 with HTTP; Wed, 25 Jan 2023 08:39:58 -0800 (PST) In-Reply-To: References: <87988F72F1C2D20B16DE8DA47FB8C262@alice> From: hiro <23hiro@gmail.com> Date: Wed, 25 Jan 2023 17:39:58 +0100 Message-ID: To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: non-blocking lossless markup session-oriented browser Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension Reply-To: 9front@9front.org Precedence: bulk > i'd like to add to the discussion that i encountered with this > problem months ago, but with a custom firefox config: > https://github.com/arkenfox/user.js/blob/master/user.js#L423 > > i solved this "problem" by just disabling that setting, but it's > confusing that openssl adopted this practice too. i don't get > the point. > > 2023-01-24 0:16 GMT, hiro <23hiro@gmail.com>: >> also, maybe it's enough if we stop supporting tls1.2 ? >> maybe tls1.1 and tls1.3 can be setup in a safe enough way already? > that's a terrible idea, there are lots of clients that still don't have > tls 1.3, and tls 1.2 introduces tons of features that makes it more > secure than 1.1/1.0 > plus someone would have to implement 1.3 :) > i dont know enough. what is the actual minimum tls version enforced by clients (i.e. no downgrade attacks possible) seems useless to even twitch that tls1.3 finger until they make sure downgrades to 1.2 arent possible (on our server side at least)