zlacker

[parent] [thread] 1 comments
1. tbrowb+(OP)[view] [source] 2017-02-28 04:35:27
The TLS negotiation is mutual. Both endpoints tell each other what they support and they agree on a protocol that's mutually supported.

If merely advertising 1.3 while still advertising older versions causes blue coat to break, it has a bug in TLS version negotiation.

There is no downgrade or whitelist or failing closed. Each end says what they support and BlueCoat blows up the connection if it sees that the other end supports a newer version. It should say "oh we both support 1.2 let's use that" And apparently it's done this before so there's even less an excuse for it.

replies(1): >>rocqua+0h
2. rocqua+0h[view] [source] 2017-02-28 08:37:45
>>tbrowb+(OP)
This is apparently a problem when bluecoat is used in non-mitm mode. That probably means bluecoat is merely inspecting the initial handshake, not modifying it. That would imply it can't actually modify the handshake.

It then simply inspects a connection it doesn't understand and 'fails closed' by preventing that connection.

[go to top]