Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Kurt Roeckx <> Fri, 26 December 2014 23:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 10FD91ACFC8 for <>; Fri, 26 Dec 2014 15:26:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SUhOOKnqPb7K for <>; Fri, 26 Dec 2014 15:26:28 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 182B31A90A5 for <>; Fri, 26 Dec 2014 15:26:27 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 077241C2039; Sat, 27 Dec 2014 00:26:26 +0100 (CET)
Received: by (Postfix, from userid 1000) id 796641FE00B2; Sat, 27 Dec 2014 00:26:25 +0100 (CET)
Date: Sat, 27 Dec 2014 00:26:25 +0100
From: Kurt Roeckx <>
To: Dave Garrett <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: " (" <>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Dec 2014 23:26:30 -0000

On Fri, Dec 26, 2014 at 05:47:00PM -0500, Dave Garrett wrote:
> On Friday, December 26, 2014 01:11:39 pm Kurt Roeckx wrote:
> > On the other hand if you do receive such a client hello you're
> > likely talking to old software that most likely isn't support
> > anymore and might have various security issues.  It might be a
> > good indication of clients you prefer not to talk to.
> My primary concern is that continuing to maintain official support for a 
> deprecated format from an insecure protocol leaves a significant amount of 
> complexity in place just to support woefully out-of-date implementations.

Isn't it up to the implementations to decide if they still wish to
support it?  Does it do any harm to support it other then possible
talking to outdated software?

(It currently seems to be about 150 lines in OpenSSL, and it seem
clear to me that it's just to support that.)

> I think that many people agree that one of the main goals of TLS 1.3 needs to be 
> reduction of complexity. The more legacy features that are removed, the simpler 
> the protocol will be, and the safer it will be to implement properly.

Even if TLS 1.3 reduces complexity, it's not suddenly going to
make any implementation less complex.   I think it's likely going
to make things more complex.   It's not like we're going drop
support for the older protocols at the same time.  We'll add one
more that is different then the others.

> Refusing to connect to these old clients will also, hopefully, get some of them 
> upgraded to new ones that actually work with modern protocols.

Or prevent the adoption of the new software because it breaks

> > It's saying that you should refuse a connection from a client that
> > supports TLS 1.0 but set it up using a SSLv2 compatible client
> > hello.  If TLS 1.0 is still acceptable, why would you refuse such
> > a connection?
> If there were a simple way to detect that, without having to support the old 
> hello format, and reply with a simple refusal that triggered a negotiation using 
> TLS, then that might be preferable. However, at some point it's just not worth 
> it. You just have to cut off backwards compatibility, eventually.
> Also, I'm not sure I agree that TLS 1.0 is still acceptable. Personally, I'd 
> like to see an official deprecation and an attempt to force implementations to 
> upgrade to at least 1.2 at some point. HTTP/2 should help here, I hope. (at 
> least on the web) It would be nice to not have to panic and handle some fatal 
> flaw in TLS 1.0 like had to be done for SSL 3.

I would also like to get rid of TLS 1.0.  It's just not realistic
to do this at this point in time.  Only about 50% of the http
servers support TLS 1.2 currently.