From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 25477 invoked from network); 25 Jan 2023 17:19:42 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 25 Jan 2023 17:19:42 -0000 Received: from mail-ua1-f46.google.com ([209.85.222.46]) by 9front; Wed Jan 25 12:18:24 -0500 2023 Received: by mail-ua1-f46.google.com with SMTP id j1so4845583uan.1 for <9front@9front.org>; Wed, 25 Jan 2023 09:18:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=72wc0AStVAuzNIL4HrM/GOrXQ7oUPuF1mX2pT2y0cKk=; b=U6hAfBo2s6ChcdMGS/p2nZe9Cst8uC/6ZN3aQizr0cAHONgwuPEjzgvJnuyp/Q4536 ovGvlNnQOkZ5fc8F55Hm9auEgPA/9Zud2n6Z3m/LjGvJuBZE6T+qsR18yjAHScSJ60sr cy+ADy3Jy7XtLJnpDqadX+Je7WRHxEcCwIlRVlsOG50K9l1teKnadVTfxVGJbYtFZGQd /0dakazwbcT5QNYSEQmIEsYONK8KQyEFw3N4EBXb32xNKvhKcvjw1EeNZCJFwJjVWrye MLtiL24SNg3fteyOdur36WbezP7sKEFj6aFB3aiEMx5/wORIayUOaNSxdTNTDG/kMQMt aiAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=72wc0AStVAuzNIL4HrM/GOrXQ7oUPuF1mX2pT2y0cKk=; b=R2m7ZNdIde35/N7IcW0awIYKtjmp6vfU79K2JaG3GX3QqNZM0F79tjm4XrvW7IBxzR NvgghB0o5Hi9q29pqX9WgJ8DoSNH+aE9ifATJ1LIVqAC+h17EdHL3sKT14h2/HRMGXKb TWz3FiAeiqNLk1IACjrViGd0JAsZXkfWZRQYGrRJnoopZn2wIfCeeXh2z5sAdLxkWoK1 OUQa0BmTXIMK9s9IhB7l1q9pR2QGR06MhhaD9mKzeFyVRBHLbNFFnal+Kr/TDyH87DGV sGQV+5Y4lMHo2TQHPIn0GOZsAN6HneF0lP3CV9cYK8C2lYrlXND1pWUDStN6SrT8UbTh 0rCw== X-Gm-Message-State: AFqh2krjCwXc2MY2dPvw/sjv6kAFkQ9V+EZ2BVmgq31QpAe8Cb1IMgMA IErFDZFg+Qwoh0VGUcCvS4Ehxz6qbyuaxYMnkl5qFIsitVw= X-Google-Smtp-Source: AMrXdXuBVGu6y/hG96/zhC9zrGax58iEL3uSV0/GF9PuHmKkCjZIY3ipdFWZoIjBSx8wh4ytpNEgkyLuiTwn4GI0W1A= X-Received: by 2002:ab0:482c:0:b0:418:455f:2e94 with SMTP id b41-20020ab0482c000000b00418455f2e94mr3639713uad.75.1674667099890; Wed, 25 Jan 2023 09:18:19 -0800 (PST) MIME-Version: 1.0 Received: by 2002:ab0:5a66:0:0:0:0:0 with HTTP; Wed, 25 Jan 2023 09:18:19 -0800 (PST) In-Reply-To: References: <87988F72F1C2D20B16DE8DA47FB8C262@alice> From: hiro <23hiro@gmail.com> Date: Wed, 25 Jan 2023 18:18:19 +0100 Message-ID: To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: structured HTML event-oriented general-purpose optimizer Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension Reply-To: 9front@9front.org Precedence: bulk well i know thats not the case. tls 1.3 downgrade attacks are always possible atm. what i wasnt sure is if downgrades to tls1.1 are still possible in practice. i was just hoping that maybe one could save some effort and skip a version, but i guess not. and anyway dragons are lurking in tls1.3, too. On 1/25/23, kemal wrote: > 2023-01-25 16:39 GMT, hiro <23hiro@gmail.com>: >> i dont know enough. what is the actual minimum tls version enforced >> by clients (i.e. no downgrade attacks possible) >> >> seems useless to even twitch that tls1.3 finger until they make sure >> downgrades to 1.2 arent possible (on our server side at least) >> > oh i see what you mean. > if both server and client supports 1.3, there's no way of a downgrade. > both sides will definitely use 1.3. > so implementing tls1.3 could also work. >