IETF Logo Mail Archive

Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Dave Garrett <davemgarrett@gmail.com> Thu, 21 May 2015 21:12 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0661A905A for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tBLgRqZ9G6v for <tls@ietfa.amsl.com>; Thu, 21 May 2015 14:12:58 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F31C31A904F for <tls@ietf.org>; Thu, 21 May 2015 14:12:57 -0700 (PDT)
Received: by qkx62 with SMTP id 62so19518465qkx.3 for <tls@ietf.org>; Thu, 21 May 2015 14:12:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=DTMdqT/ysb+eaVgjLI4mgxipz9NW5YCrR7EK4rfDaNk=; b=Q4OBe4o15x5Jy/gYbndOn9c6QF6HfsmCP5JNsDkwDLveLHgYVPHx/883j1YvIGEYY/ hpoR0sgcMR+bSBI8cAwVGOtAj2TF1MuTtyiez8nym9oOo8ZA1+DqK8AS8AOwfwYcet59 ERR1/uLfsFk06jDBtFc4fnKjk1WeqlHlHSOdQfXbdB/w8lR4kqWTMfISICsH4sHElXiO OxKBTinbQAGig0dChiuWcfmkEcYB2Z5v2p5Ea30dd7DdbgX1pLelIKe1qgzG6Sw2XIlA aJ8mZOTgTRQat59VFYqiKLkMdArxadhgveXrwZVKQfXpSfHrr6Ag0s6nKYV27/OWHOFI qc6A==
X-Received: by 10.55.20.141 with SMTP id 13mr11142920qku.30.1432242777298; Thu, 21 May 2015 14:12:57 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id 6sm20698qks.37.2015.05.21.14.12.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 May 2015 14:12:56 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 21 May 2015 17:12:54 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201505211210.43060.davemgarrett@gmail.com> <20150521210317.GA23925@roeckx.be>
In-Reply-To: <20150521210317.GA23925@roeckx.be>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201505211712.55279.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3TBmLIWurbtB2xg4rRA65dNcJig>
Cc: tls@ietf.org
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 21:12:59 -0000

On Thursday, May 21, 2015 05:03:17 pm Kurt Roeckx wrote:
> On Thu, May 21, 2015 at 12:10:42PM -0400, Dave Garrett wrote:
> > The reasoning here is that major server updates are unfortunately uncommon, but client updates are routine.
> 
> So everybody can already disable TLS 1.0 and 1.1 now, right?  All
> clients have already been updated.

More than enough, as far as I'm concerned. Once servers start rejecting the stragglers on EOL clients, people will be forced to update. This coercion does not work well in the other direction. Many server operators don't even care, or possibly even know anything about the topic. They do know that major upgrades of servers are a big deal, and something that does not get done frequently. Client upgrades, on the other hand, are easier to install and it's easier to switch to competitors if needed.


Dave

v2.23.0 | Report a Bug | By Email