

New TLS Versions - afimrishi
http://www.imperialviolet.org/2012/06/08/tlsversions.html

======
X-Istence
Here is something interesting, TLS Version 1.2 has been the required standard
for protection by the US Government since December 2010 due to no longer
allowing MD5 to be used in certain cases.

<https://blogs.oracle.com/xuelei/entry/tls_and_nist_s_policy>

This has actually been interesting for those of us in the government sector
since TLS 1.2 for example is not yet supported by so many different
libraries/clients that I know of people having to get exceptions for their
products to still be deployed in federal instances...

------
rubynerd
Hmm, at the moment I'm writing something in Ruby using OpenSSL, where a Socket
object becomes an OpenSSL::SSL::SSLSocket

It's an absolute nightmare. It won't stay alive for more than 10 minutes
without some form of OpenSSL error, and I've even managed to create some kind
of weird condition where pure bytes and other garbage are read off the socket

What really concerns me is the lack of documentation for this. It's SSL, out
of any piece of Ruby I would like it to be the most documentated/most
maintained/easy to find help with piece, but instead, I've been stuck with
this giant piece of broken code for three months with no idea where to et help

The point being, it's all very well saying massive companies with engineers on
tap are supporting these technologies. But for a startup with one person at
the keyboard, they are figuratively screwed. I'm still holding out for the
possibility that there is somewhere in the world someone who understands how
to securely handle OpenSSL sockets in Ruby, I really do.

I refuse to go to MVP with a server which is raising exceptions left right and
center, and at the moment, that's gonna kill the startup dead in its tracks.

~~~
X-Istence
Not sure if you can do this in Ruby, but instead of using OpenSSL to manage
the socket use something like libevent or event handling to pass the
information to a SSL memory BIO...

I wrote an article[1] on this a while back (C++ code), but it should give you
an idea as to how to accomplish this. Do note that it looks complicated at
first, but it is fairly easy to implement.

Code based on what is in that article has been in production service for about
4 months now and it is completely stable. No weird errors, no weird issues,
nothing.

Also, if you let something like OpenSSL causing issues kill your startup dead
in its tracks you need to reconsider what MVP is... restart it every so often
if it becomes an issue, fork a different process like netcat that does the SSL
instead and use pipes to communicate. Please don't let issues with SSL kill
your product!

[1]: [http://funcptr.net/2012/04/08/openssl-as-a-filter-(or-non-
bl...](http://funcptr.net/2012/04/08/openssl-as-a-filter-\(or-non-blocking-
openssl\)/)

------
zobzu
not even listing IE and Firefox hehe.

~~~
yuhong
SChannel in Win7 supports TLS 1.1 and 1.2 but IE disables it by default.

