IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)

Rob Sayre <sayrer@gmail.com> Tue, 12 December 2023 19:37 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D28C14F5F8 for <netconf@ietfa.amsl.com>; Tue, 12 Dec 2023 11:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xz6R8fOrFueG for <netconf@ietfa.amsl.com>; Tue, 12 Dec 2023 11:37:35 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491B0C14F5F0 for <netconf@ietf.org>; Tue, 12 Dec 2023 11:37:30 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2cb21afa6c1so70904851fa.0 for <netconf@ietf.org>; Tue, 12 Dec 2023 11:37:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702409848; x=1703014648; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=1c1LnNp26GBF2YviRx6Hss45olQSG6ythEk9JwP1hBs=; b=Pdh4lWfzuT7OgnnLzP0x7h+0spXIc+bE69en0maCvqfgq3l/lkyC2wDKJtsCBxI2Hz j55g98vy6E8IBAaI+6YiG8rUJKz/O+XsqnuIgDMX5TvBGByJ2bfNnqidZCJXYDTy1eB9 HSDA/ii4VOAF+ZVmMODO3gmKaLNdoHeNDfnD06+vkTNTkzxe/407nbTaPTBdsKCoKUCW v4fqgEz0GUMxn5n34Id69uTLx08WXIRpePgqrPtAusdKewbMvvnzuvyZe8mYf+6xHfIb ybtbqqLkjuBOcXg9Vxs6rc9p94proejyuGSEsJreTYWpeVnz8ynX4veAdwC3Zemv29ai 9bhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702409848; x=1703014648; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1c1LnNp26GBF2YviRx6Hss45olQSG6ythEk9JwP1hBs=; b=GSvYcFlLlYx/+bPKG68q9xEpPZEgFHVgUlBmEEncuQ9GzGA+bmuItKJFfhSK/ufndz Asow67FeBtZ98nc7uc4bJlp269XcNTL1eYy8yt+OK5fauw46xvNmysj7YyLFOpqnCDRw i+s7Ej+vtj44bVUHvoVXGl1RzooWYj+C4plXH24Ede4q/YX20TbJHao7BYVRoMrd0UEd p9v+EwwNv3w9ZtjCIx69TN9uD5kmWB4zA4z8OWmbLPjhF0hyB0zXc1qKrRLuwrCqMbmA 6cOlHd9c7L31Rwc5QrLnjrkfo2rH0o6mPWDFdL+TyxUGFA/t8yA8uaeRiQBU+5C9f7X8 ApFA==
X-Gm-Message-State: AOJu0YyqcxAmCkLEmLHrIy4OfjWPHNaggU68Zh0nUX6S9AOhSxJ94TQh 2L24pX3gQdUT2p/4bjcl5D1TqEFqS8DeEjC/CnznULuBS74=
X-Google-Smtp-Source: AGHT+IHV1E81mqQNJoxScaKmkm4IDXbxo0qx3Kj8ouBZXWSuHv1eyPeEn/B6mMmwe1WWKn1VjYgdegnCd/KKj+giTb0=
X-Received: by 2002:a05:6512:2350:b0:50b:f3fc:1261 with SMTP id p16-20020a056512235000b0050bf3fc1261mr4055897lfu.1.1702409847336; Tue, 12 Dec 2023 11:37:27 -0800 (PST)
MIME-Version: 1.0
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 12 Dec 2023 11:37:16 -0800
Message-ID: <CAChr6SyNX23wGLG4FvFL9EaoTMFCD+0emD2mEhF6u+VB5Gyogg@mail.gmail.com>
To: netconf@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003671b8060c552e97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/kbkUDsgUfFzr1ipgIxZJFUTM1V8>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 19:37:39 -0000

Sean Turner <sean@sn3rd.com> wrote:
> For TLS 1.2:
>
> RFC 7589 includes the following text:
>
> Implementations MUST support TLS 1.2 and are REQUIRED to
>  support the mandatory-to-implement cipher suite.
>
> That cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA.

I think the text could be clearer still, because the draft cites RFC 9325
as a normative reference.

There, we can find this text:

"The previous version of the TLS recommendations [RFC7525] implicitly
allowed the old RFC 5246 mandatory-to-implement cipher suite,
TLS_RSA_WITH_AES_128_CBC_SHA. At the time of writing, this cipher suite
does not provide additional interoperability, except with very old clients.
As with other cipher suites that do not provide forward secrecy,
implementations SHOULD NOT support this cipher suite. Other application
protocols specify other cipher suites as mandatory to implement (MTI)."

<https://www.rfc-editor.org/rfc/rfc9325.html#name-implementation-details>

So, do implementations have to support TLS_RSA_WITH_AES_128_CBC_SHA, even
if they have some better options?

thanks,
Rob

v2.23.0 | Report a Bug | By Email