Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Joel Sing <> Mon, 31 August 2015 16:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 93CBC1B323A for <>; Mon, 31 Aug 2015 09:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.088
X-Spam-Status: No, score=0.088 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4UBw7MWwBFbH for <>; Mon, 31 Aug 2015 09:40:09 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B9D7C1B377F for <>; Mon, 31 Aug 2015 09:40:07 -0700 (PDT)
Received: from list by with local (Exim 4.69) (envelope-from <>) id 1ZWS7n-0007Se-Fu for; Mon, 31 Aug 2015 18:40:04 +0200
Received: from ([]) by with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <>; Mon, 31 Aug 2015 18:40:03 +0200
Received: from jsing by with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <>; Mon, 31 Aug 2015 18:40:03 +0200
From: Joel Sing <>
Date: Mon, 31 Aug 2015 16:38:00 +0000 (UTC)
Lines: 62
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
User-Agent: Loom/3.14 (
X-Loom-IP: (Mozilla/5.0 (X11; OpenBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36)
Archived-At: <>
X-Mailman-Approved-At: Tue, 01 Sep 2015 08:14:17 -0700
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Aug 2015 16:40:11 -0000

Viktor Dukhovni <ietf-dane <at>> writes:
> I should note, that premature deprecation of algorithms and/or
> protocol features by library maintainers who are not attuned to
> the needs of OS applications is already having detrimental effects.
> For example, LibreSSL 2.2.2 has not only removed support for SSL
> 2.0 and SSL 3.0, but has also removed TLS server support for
> SSL-2.0-compatible HELLO.

I strongly recommend that you check your facts, in order to avoid 
distributing misinformation in a public forum:

- LibreSSL 2.2.2 has support for SSLv3 - it is disabled by default,
  however it can be re-enabled by an application at runtime (or by using
  the appropriate functions directly).

- LibreSSL 2.2.2 has server support for SSLv2 ClientHello messages and it 
  will not be removed any time soon.

> This means that servers linked with LibresSSL are unable to complete
> a TLS handshake with clients that have not yet disabled SSL 2.0
> and are still sending SSLv2-compatible HELLO.

This is inaccurate. I believe you are confusing this with a bug that was
introduced in the 2.2.2 release, which has already been fixed in 2.2.3. A 
TLS ClientHello that contained no extensions was incorrectly handled,
resulting in interoperability issues and handshake failures with some

> Such clients are not uncommon.  The Postfix user who ran into this
> problem reverted to linking Postfix with OpenSSL.  In the OpenSSL
> "master" branch (future 1.1.0), SSL 2.0 and SSL 3.0 are disabled
> just like in LibreSSL 2.2.2, but support for SSLv2-compatible HELLO
> is retained (on servers, but the client code will never send such
> a HELLO).
> It takes care and sound judgement to preserve interoperability,
> and not all applications have the same needs.  So while the
> "marketing" message needs to be clear and unequivocal (stop using
> obsolete crypto), in libraries the underlying technical changes to
> support that need to be constructed more carefully, and final
> removal may be the last step of a process that happens across
> multiple releases that gradually reduce support. 
>     * Remove from use by default.
>     * Reduce relative preference.
>     * Require non-default compile-time options to enable.
>     * Remove the code.

You have practically just described the process that LibreSSL is using.
The main difference is the timeline under which the process is being

> Applications can move more aggressively, and use appropriate APIs
> to disable obsolete crypto faster because they are better positioned
> to know where to draw the line between security and interoperability
> with legacy systems.

Deprecation is difficult, since those who are doing it are often told
that they are doing the wrong thing, usually by people who try to discredit
the projects and teams that are busy making progress. Hopefully the
misinformation and inaccurate assertions above are not an example of this.