Against certain proposed TLS client-side options

Richard Laager rlaager at wiktel.com
Sun Feb 3 02:52:33 UTC 2019


On 2/2/19 7:25 PM, Richard Laager via devel wrote:
> # Requiring a bounded set of audited TLS versions
> # (the DOD STIG scenario, unverified as to actual requirement)
> tlsmin 1.2 tlsmax 1.3
> OR
> tlsversions "1.3"

This should be:

tlsmin 1.2 tlsmax 1.3
OR
tlsversions "1.2 1.3"

> # Notably, forcetls is NOT acceptable here, as even if it is per
> # association, which I think we are assuming, it breaks negotiation.
> # Clients and servers would have to upgrade in lock-step, which is
> # unreasonable to expect.

-- 
Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/89f22e26/attachment.bin>


More information about the devel mailing list