From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 15731 invoked from network); 20 Jan 2023 21:07:14 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 20 Jan 2023 21:07:14 -0000
Received: from sendmail.purelymail.com ([34.202.193.197]) by 9front; Fri Jan 20 16:05:58 -0500 2023
DKIM-Signature: a=rsa-sha256; b=qeKSCWe6hicM5+RVXBdTa2UOPpBETqbFI1K497qghDNVL5SAEnERP+Cg5gh6Pfoo5fFxmxY92bKc3PNoY+ur0Dx9x8NPTjDvIkNQCs+aPR5FkyIEjXSkkaSn+YJa31nI5qkqn65TwwokvKoAwlhYErka9rj2mnyX2yGZfe4G/+TADp4rqbm915KR34HOWXmXzyI2a+cMuariXpXc/26Hi88XsiYBAKuwvj8uscRpG/P+oZti6BgfNNe4KuLmEB/WGtBTyULVEmB3T8IRrHytdbk7N68e3o03osgIOfKoj8QNEZ0hDqvbr1wMBHe/kqHua1pmimk1zJchr6aFTrZPHw==; s=purelymail3; d=pbrane.org; v=1; bh=RK1RxKutRPbP0IaUVxjJBkYErDc64qmUVjGxJfjVAZE=; h=Received:From:To:Subject;
DKIM-Signature: a=rsa-sha256; b=lHvjuro/SDdMGz/+jbOt5X0u9W0RkOv13IS684X9NwVmXEI6lol2RuoG3vOI1O8cLbHtxxpEHTPq0CgDqDc6GwNfpG2Na7t6ubJwR7OeryfAh1GyxAxkLOWgA6Kv0NYbZlpKIza80f4H79KmZySRZ0Srf2Uz07Kr9BK92oa4011SU8hVT1/7LJO3yL7+B6J/6Iwlw2Ks8TF799ve0PtT4svZZ/KdnQgNXD+3V7xfe6pl1ebhEy+oA8c0P7oQLHeDzvhPUUR7UP3Sx/cyuoMI5PJj+hXg/TR6wqiJ2bAVUtMQyzDI2MbddIfJVlTHyJVQIuAJK0F/5dTkep3A3GyOng==; s=purelymail3; d=purelymail.com; v=1; bh=RK1RxKutRPbP0IaUVxjJBkYErDc64qmUVjGxJfjVAZE=; h=Feedback-ID:Received:From:To:Subject;
Feedback-ID: 10987:2443:null:purelymail
X-Pm-Original-To: 9front@9front.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -384782421
          for <9front@9front.org>
          (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
          Fri, 20 Jan 2023 21:05:51 +0000 (UTC)
Date: Fri, 20 Jan 2023 13:05:37 -0800
From: Anthony Martin <ality@pbrane.org>
To: 9front@9front.org
Message-ID: <Y8sCIZbVVtT8msWF@alice>
References: <87988F72F1C2D20B16DE8DA47FB8C262@alice>
 <CAFSF3XMJybj82PETOXxRpB7pGKdZTbNQMC_rdzJy=FMrqiaqvA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <CAFSF3XMJybj82PETOXxRpB7pGKdZTbNQMC_rdzJy=FMrqiaqvA@mail.gmail.com>
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: full-stack hosting-based singleton 
Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls
 renegotiation extension
Reply-To: 9front@9front.org
Precedence: bulk

hiro <23hiro@gmail.com> once said:
> On 11/10/22, Anthony Martin <ality@pbrane.org> wrote:
> > OpenSSL 3.0 clients refuse to connect to servers that do not
> > support the renegotiation extension (RFC 5746)
>
> why? what's the logic behind it?

"It has been more than a decade since RFC 5746 was published,
so there has been plenty of time for implmentation support to
roll out."

    - Benjamin Kaduk=C2=B9

Remember, they continue to support renegotiation in TLS
versions before 1.3 and it's insecure=C2=B2 without the RFC 5746
mitigation. It was removed in TLS 1.3. The Plan 9 TLS code
never supported it. Annoyance or clairvoyance? Who knows.

Cheers,
  Anthony

1. https://github.com/openssl/openssl/commit/72d2670bd21becfa6a64bb03fa55ad=
82d6d0c0f3
2. https://mailarchive.ietf.org/arch/msg/tls/N7EcRpvK2ENs5IwWYv2p7nrUG8w/