IETF Logo Mail Archive

Re: [netconf] draft-ietf-netconf-tls-client-server-34 tls-version

Michal Vasko <mvasko@cesnet.cz> Fri, 01 March 2024 07:11 UTC

Return-Path: <mvasko@cesnet.cz>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB2DC14F6AC for <netconf@ietfa.amsl.com>; Thu, 29 Feb 2024 23:11:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cesnet.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miYRj18jNrcy for <netconf@ietfa.amsl.com>; Thu, 29 Feb 2024 23:11:42 -0800 (PST)
Received: from office2.cesnet.cz (office2.cesnet.cz [78.128.248.237]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66216C14F6E2 for <netconf@ietf.org>; Thu, 29 Feb 2024 23:11:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cesnet.cz; s=office2-2020; t=1709277086; bh=TGS0fxDtMhItK2fFiWgUxcwfFs2TciOttqpUTODZQvI=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=gYxd10x6l/yHtYMLhqSRL1zC6304lTuE/9rqRB70y60K7FIT77LSGjZu5H0FGmKSL 4UBpERwPXTp8mB/jXLNib23JqV58/FvJC9/DlUh+iD+fpYbeS9BTSxX42d83MnkcMd YFopNZfIVFLXeJrDjrlvfrR7wDpTqSeRASHHxmJH4p8OOAbo3JfL9lWNVLuxyUtO0a j9Osdaka3io081XIZBu9Lal7FcW1X3a4BFOi8OWB9LnJ3+hat+I9qjrkxuxd7zkEsP rPdXwrHofm5dsnTqVH6cENqX9k3f7ind5E4bI50brz4If1vOEEb+gQ7lE5ThHSnvRz BTYlE5+2LQakw==
Received: from [IPV6:2001:67c:1220:80c:3:cbf8:37ba:2b19] (unknown [IPv6:2001:67c:1220:80c:3:cbf8:37ba:2b19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by office2.cesnet.cz (Postfix) with ESMTPSA id 098BE1180072; Fri, 1 Mar 2024 08:11:24 +0100 (CET)
Message-ID: <1b1fa39b-da8c-45c5-8ba2-ce72d1b54ea8@cesnet.cz>
Date: Fri, 01 Mar 2024 08:11:19 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Kent Watsen <kent+ietf@watsen.net>
Cc: "netconf@ietf.org" <netconf@ietf.org>
References: <afa59a41-0fb6-47c3-a1bf-aadfa0433a5d@cesnet.cz> <0100018df764a22e-48daaa70-a779-4636-b004-91b524b556b6-000000@email.amazonses.com>
From: Michal Vasko <mvasko@cesnet.cz>
In-Reply-To: <0100018df764a22e-48daaa70-a779-4636-b004-91b524b556b6-000000@email.amazonses.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040402030500080808080809"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Gv8lFnZ461hxa-xHT2-1kfidN2U>
Subject: Re: [netconf] draft-ietf-netconf-tls-client-server-34 tls-version
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 07:11:46 -0000

Hi Kent,

yeah, I was not sure whether you have seen it but had enough other work 
and then forgotten about it.

As stated in the email, being able to set both min and max supported 
version makes sense to me (and is supported by OpenSSL), not so much 
customizing the priority of each TLS version, so that is my proposal. 
Thanks.

Regards,
Michal

On 1. 3. 2024 1:23, Kent Watsen wrote:
> Hi Michal,
>
> I just found this email of yours.
>
> What is your proposal?  Set min/max or remove the node entirely?
>
> K.
>
>
>> On Jan 16, 2024, at 4:11 AM, Michal Vasko 
>> <mvasko=40cesnet.cz@dmarc.ietf.org> wrote:
>>
>> Hi,
>>
>> I am wondering about the tls-version user-ordered list in the latest 
>> ietf-tls-common YANG module. It allows for quite a fine-tuned 
>> configuration of the supported TLS versions but I am not sure there 
>> is any added value. Also, OpenSSL does not support these options 
>> <https://www.openssl.org/docs/man3.2/man3/SSL_CTX_set_min_proto_version.html> 
>> and they advise only setting the minimum (avoid security issues) and 
>> maximum (avoid compatibility issues) supported versions, which makes 
>> sense to me (but I am no security expert). I suppose it is too late 
>> for any changes so I am at least hoping for some comment, thanks.
>>
>> Regards,
>> Michal
>>
>> _______________________________________________
>> netconf mailing list
>> netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
>
>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email