[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-hoffman-rfc2487bis-03.txt

To: ietf-apps-tls@xxxxxxx
Subject: Re: draft-hoffman-rfc2487bis-03.txt
From: Marc Shannon <Marc.Shannon@xxxxxxx>
Date: Thu, 24 Aug 2000 07:16:40 -0700
Cc: John Gardiner Myers <jgmyers@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-apps-tls/mail-archive/>
List-id: <ietf-apps-tls.imc.org>
List-unsubscribe: <mailto:ietf-apps-tls-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-apps-tls@xxxxxxxxxxxx

> > A server which does not have a certificate installed and which does not
> > support any anonymous ciphers SHOULD NOT advertise the STARTTLS keyword
> > as it is not currently able to negotiate the use of TLS.

> It's an case which implementors commonly get wrong.

Further, it's also an area where past SMTP proxy servers have made mistakes.
The proxy servers attempt to validate the SMTP commands as a
man-in-the-middle, passing through the STARTTLS option knowing full well
that they won't allow for TLS negotiation anyway. In one particular case,
the proxy server responded "250 OK" to the STARTTLS command (and, in fact,
it responded that way to _any_ unrecognized command) leading to a serious
communications breakdown as the client was starting to negotiate TLS while
the server was happily awaiting its next plain-text command.

--Marc

Follow-Ups:
- Re: draft-hoffman-rfc2487bis-03.txt
  - From: Eric Rescorla

References:
- draft-hoffman-rfc2487bis-03.txt
  - From: Paul Hoffman / IMC
- Re: draft-hoffman-rfc2487bis-03.txt
  - From: John Gardiner Myers

Prev by Date: SMTP/TLS: MTA certificate type
Next by Date: Re: draft-hoffman-rfc2487bis-03.txt
Previous by thread: Re: draft-hoffman-rfc2487bis-03.txt
Next by thread: Re: draft-hoffman-rfc2487bis-03.txt
Index(es):
- Date
- Thread