[webkit-dev] Request for position: Removing 3DES from TLS
Alex Christensen
achristensen at apple.com
Thu Apr 29 13:15:19 PDT 2021
Thanks, David. I think we’re on the same page now.
> On Apr 29, 2021, at 12:47 PM, David Benjamin <davidben at chromium.org> wrote:
>
> Ah yes, that is confusing. Not quite. What's going on here is that we've moved 3DES (and SHA-1 server signatures) under a fallback connection, so our first connection won't advertise them, but on error the second one will. This means that, for compatibility and security purposes, we do support 3DES. But when you look at the ClientHellos, it'll look like we don't.
> https://groups.google.com/a/chromium.org/g/blink-dev/c/yaJcs4p9LNI/m/haZWzX-UBwAJ <https://groups.google.com/a/chromium.org/g/blink-dev/c/yaJcs4p9LNI/m/haZWzX-UBwAJ>
Ah, yes. Now I see that when connecting to https://3des.badssl.com/ Chrome will send a retry client hello with TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
> (By the way, it looks like, on my machine, Safari on Big Sur also supports TLS_RSA_WITH_3DES_EDE_CBC_SHA.)
You are correct. I overlooked that one, which upon closer inspection was right next to the other ones the whole time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210429/6ab869c4/attachment.htm>
More information about the webkit-dev
mailing list