Re: [Nbd] [PATCHv3] Improve documentation for TLS
Wouter,
On 9 Apr 2016, at 11:38, Wouter Verhelst <w@...112...> wrote:
>>
>> As per previous message, because SELECTIVETLS requires INFO,
>> but OPTIONALTLS doesn't.
>
> Um. So you're suggesting that if a client sends INFO, we're suddenly in
> a whole different mode of operation?
>
> That seems to make little sense (other than "complicate matters for no
> particularly good reason")
Nope, not at all. Sorry I should have been clearer.
There are four modes. Nothing depends on whether a client sends info.
The modes are:
* NOTLS
* OPTIONALTLS
* SELECTIVETLS
* FORCEDTLS
The server needs to implement at least one (even if only NOTLS
which is what the reference server currently does!), and can operate
in any mode it chooses. How it responds to the client is a product
of which mode it is in. The client doesn't control the mode in any way.
However, if it operates in SELECTIVETLS mode, it MUST also support the
INFO option. That 'MUST' requirement does not apply to 'OPTIONALTLS'.
Your question was (paraphrasing) 'why even bother having the OPTIONALTLS
mode if it's essentially a degenerate case of SELECTIVETLS'. The answer
is because a server that does not support INFO cannot support SELECTIVETLS,
but can support OPTIONALTLS.
An alternative route would be to delete OPTIONALTLS, and make some of
the MUST requirements in SELECTIVETLS say "MUST xyz unless there are
no TLS-only exports". However, this makes it rather harder to read,
so I described that case as a separate mode.
>> I'd be all for that. Or certainly "SHOULD NOT support LS versions older
>> than 1.2 by default"
>
> Or that. The point is that doing TLS < 1.2 is stupid, especially for a
> new protocol, so I think we should make it explicit that clients should
> not try that save in exceptional circumstances.
+1. Do you want to ping me when you have had a chance to review v5 and
I will collate all of these in to a v6?
--
Alex Bligh
Reply to: