Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Ronald del Rosario <rrosario@five9.com> Fri, 22 May 2015 16:03 UTC
Return-Path: <rrosario@five9.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D701A1BB4 for <tls@ietfa.amsl.com>; Fri, 22 May 2015 09:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnfY27izmW7c for <tls@ietfa.amsl.com>; Fri, 22 May 2015 09:03:10 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0711.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:711]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0171D1A1B6A for <tls@ietf.org>; Fri, 22 May 2015 09:03:09 -0700 (PDT)
Received: from BN1AFFO11FD029.protection.gbl (10.58.52.31) by BN1AFFO11HUB025.protection.gbl (10.58.52.135) with Microsoft SMTP Server (TLS) id 15.1.172.14; Fri, 22 May 2015 16:02:50 +0000
Authentication-Results: spf=pass (sender IP is 198.105.204.3) smtp.mailfrom=five9.com; ietf.org; dkim=none (message not signed) header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of five9.com designates 198.105.204.3 as permitted sender) receiver=protection.outlook.com; client-ip=198.105.204.3; helo=mx02.five9.com;
Received: from mx02.five9.com (198.105.204.3) by BN1AFFO11FD029.mail.protection.outlook.com (10.58.52.184) with Microsoft SMTP Server (TLS) id 15.1.172.14 via Frontend Transport; Fri, 22 May 2015 16:02:49 +0000
Received: from MB01.five9.com (10.7.8.141) by mx02.five9.com (10.7.15.112) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 22 May 2015 09:02:13 -0700
Received: from MB03.five9.com ([fe80::4d18:3a9c:2936:eea8]) by mb01.five9.com ([fe80::ddc6:159a:f53:8ee7%15]) with mapi id 14.03.0158.001; Fri, 22 May 2015 09:02:48 -0700
From: Ronald del Rosario <rrosario@five9.com>
To: Dave Garrett <davemgarrett@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Thread-Index: AQHQlB34iwHhmYkn6E+VKKHqxEVpQp2HwbwAgAABJQCAAAIvgIAAZCqA
Date: Fri, 22 May 2015 16:02:46 +0000
Message-ID: <D184A0B1.22B7F%rrosario@five9.com>
References: <201505211210.43060.davemgarrett@gmail.com> <20150522025214.GA21141@typhoon.azet.org> <CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com> <201505212304.11513.davemgarrett@gmail.com>
In-Reply-To: <201505212304.11513.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.0.150423
x-originating-ip: [10.7.8.130]
Content-Type: multipart/alternative; boundary="_000_D184A0B122B7Frrosariofive9com_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11FD029; 1:P79x3PFEnVViM4e45Irf4GMPFLTr7FMW8mT+7hZ9qjZCe59u1j16lay4Yd/oLAiDfZxYb4lV6XuFy91kP+yFYPUqzRuSbaQYNGYuyoXTedZE3GjTyv7oEkdDOicIZjuDtZQllMEfm4U1p2sR7c18B3n/a2XQXFYOYVk+EmFdceILcLOuKjfjcGQHEFo8W3iN1Gkh88o8FMpO/EjAThh8sxPzrjBA4wnXMo+gb/EUNCKgUSTdKfSAk3537w2oNoZwx2VAgwJjxmaGasb84r8GDgnk4TS/QELtsfJW+xxxMO+WCou2dn9ZLvrVTkQWJMVh
X-Forefront-Antispam-Report: CIP:198.105.204.3; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(189002)(377454003)(199003)(24454002)(2950100001)(102836002)(2900100001)(15975445007)(86362001)(50986999)(54356999)(76176999)(16236675004)(512944002)(5890100001)(2501003)(5250100002)(93886004)(19617315012)(53416004)(36756003)(64706001)(5001860100001)(5001830100001)(5001770100001)(106466001)(106116001)(30436002)(189998001)(19580395003)(19580405001)(62966003)(77156002)(107886002)(5001970100001)(4001540100001)(4001350100001)(84326002)(83506001)(92566002)(46102003)(6806004)(2656002)(4546004)(87936001)(7099028)(85436002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1AFFO11HUB025; H:mx02.five9.com; FPR:; SPF:Pass; PTR:mx02.five9.com; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB025; 2:60tAEJBAYg0b4z7kk4YggLXEraolgxVWmyjItFP4zYQrv9SeZTcMY1oQDLZwBkDh; 2:hpdmjX8CpBzh/Pg20Y7m8QuPgW5uE/ovF5XedIckvIHLpMinvNpJTAGUP5+2gB4R1jBb0YGE1CuH0jeLVLCYZyBy2YlD/E5yPmMXqhn/2MSopFU/ZTGd9noHDfvwtclkCkI0koOkErz403wuov/X17noaina4uQCfkYRuBw+Z7t1BQbtHlM37l0ZrQdIRoWw3Zw0UKtF/dP1vFeXvcSz2d7qJJPRtuRqW5IzgnG9aZ8=; 6:1pp/XpyXjM0n3SttqdSY9y3SZTMR0xoGCaPhb/rfjsROQPOQ7gVfKbFk5rgzefoiR2vJci3/vo4feNa3UWS2LIuZi9+nuKTH59bZAVLoUBgfGQCUub7NbdUrrbvs+Stqs9qcwz24vfX8PdmgutmNwdAFyYgD9wuzQSxYP/5Ximpvu8zrmdGZBaAwS8BKXFyqQOIMiPfDZbLey243f4OQfaTmFSUw+SgZ5QXl52ZxxVQCfEP/d0l1Qd0CO0W+Y7rwJaNmG+pkHXadn6nTWjZTZnhklG5HAVWn1n1oDx4bz6oEZuxFCdQn1trLQnrUi1aMFJG6ssl+mpFCf3pdr69rQA==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1AFFO11HUB025;
X-Microsoft-Antispam-PRVS: <BN1AFFO11HUB025FD65DCAE1A7FD5BC632799C00@BN1AFFO11HUB025.protection.gbl>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(520002)(5005006)(3002001); SRVR:BN1AFFO11HUB025; BCL:0; PCL:0; RULEID:; SRVR:BN1AFFO11HUB025;
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB025; 3:nOUXSe1GmJXxRBgvLr9F8XUnwnqL87j/z5xRYtfxIU8YcAc9NdftswDDeqK0nBSIg2kKf9g6decTAVj2Kinxa6NxSOAPjK5sUUpqnTUlTEhi5245oSMPQGQe4Hs0fA5IICKPMlemtOw1Gm+g83BV4C8JjL9N9OMEvPjwW84mIJx0nKCO0c6E8Eci50P8kp+Ne/S+gpYQj5q8J0KkDhA+N8StZuYa1TsIYm9m1+qsN5hflqCJodiEdtQraGmRM4/YhFXMKZAldX8m/x71dsLq4UZzTS5xEz2mDsWb/JVjJS3ugbYHtUYMbQOpqJ+MkL72
X-Forefront-PRVS: 058441C12A
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB025; 9:IPSFYremtAhXQjeQD4UuCtALDPD88WAKqsg4IqERL8PUbsOiYeiEPPLlKWEYi6VG9hPIMaBJIW6FBl5VUhgurJNQS9+JgtlxKnoSfxf9b7+UcoPhMIdFYMC/IkP0BRk6tSXmDFIk/hVa0gulkdsO58lRjNQmMX7c76ks0jgqmKsTuCdNR/p6kMPSxjhZbXXy0QXl08KlvETNBhhl8rFVKqv4A1fKksmcVOq5t++IA+dwy63tkZ01zDIcRMXbE3vpQLFxuzdTEDNzXXXwjHD2vRfoy5zB0tToO6Ua3upXWZy+uS0TMX53HnMLIQe8+XouECM+bLx+yPeyrTnDjv3nJYkowQVvW/dic+L1ik3TBZCxNnqmRGK2+WAQhSpWDbs3sVYV4Ce4a5VAwABYd1eGuMzmJeHLG2MvDTHBIl1tlYo5Q9kMOyuJ21bJUZPn+mJMXHqe88tSyfeSENF94y5cqvT9X8JiqG6IfOWyRj4ys8igY92yvJSnPQdhcVWR5jEJmmd6vBf46FFA8vQuK4+64kwLUt6PZs6PQEzwAwNiySnPfex2n3jLi4cMKCVgT4CyAmr6tDgV3jKNkUPk2LCxJbOc9SneE15QGsHFF4jKd7AHr9oXuYUPUI+idOKVFMlOEVuy+0Ond9hmaT7dyvIpJufr8Zfy+gYtS5qQo7B5EC5FNADbSLaHLTX+Kb6x1y2UViIi2QLGL8rg2aKI2mnTb8HAgv7o82lR+iUJbsj0QapfxwsWWnUQgw+zBhiB9iob5EGqidu/faOA0XxFY0aFvnK8DYAZmkR1ampi2g2WkFexv65hOUjPBybv1KVLsyPzNHMm1P0c/UHftf0FN4q1+aGOhwkmXsEmKhz87iBzO3QWcnNq4W6dBUtOZZTx02xLkmGDE+WlHy44ohBBLTCzpGkAHkUc9sqFK7Yde8Rl1iGu99wO6anSPyGc8XRQX16J73d/OHRwLONMLasjEpPiZQzHGcsUdNyU+EBWg7Ik6v1acMhvf4g3mvVLX4DTmSPnqUtgEGYAvXZz6hx9g4kXUsMspvqHaKtX+BIxZf2w+IOKT/Q1gEI+kG6gt+FNx44IpkxCv/ZFqqtfqZMEqG6KJTAuavkBDvaVLAFdfKXYJHIfKUicyI5//ffgAKQlHASk8I1uXu/3IWyOQMXqY25EPEuvuk9rdX30xQftVsxJzZymUR/S91TQWdPlTZLX4+1XZoHU9Np3JSOk1fGEiH+NNuowaJPQ4HVOc+6xME5nmAO1GLTtZegPcg0JNicrvtCm
X-Microsoft-Exchange-Diagnostics: 1; BN1AFFO11HUB025; 3:z4TcWxJpnTsr7ugdMbdEgdszgGPI19vs9wRLnw9SE7Cm1lTr25vHuK3YRuXCa8RUS6FTHVfIHa5dfmURGXmD54Fje43Jmdu1bHecGj9m/yaCv/v6yT+jOO8bnd6d+5B/0+1wTNhfG3AHXhCQXNYa+Q==; 10:++3+u4JYx1wuK6qfRGauxAfiAX9nz9WzrDsOwDLvc7qFW1Ay+zDZJ/gVdUvStf0P6gWZbzj6R8Neou4rJgXrep7JgZURep4yhQyTfNa1dtU=
X-OriginatorOrg: five9.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 May 2015 16:02:49.5542 (UTC)
X-MS-Exchange-CrossTenant-Id: 91df0123-f1fa-4e71-852c-e6bdacd1a9a1
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=91df0123-f1fa-4e71-852c-e6bdacd1a9a1; Ip=[198.105.204.3]; Helo=[mx02.five9.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1AFFO11HUB025
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4-d3npo29kPeHLAbQgBvEY1CQQs>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 16:03:12 -0000
+1 on diediedocuments Maybe it needs a “dedicated website + cool logo” ala heartbleed, FREAK, etc. to get noticed :-) Ron del Rosario | @guerilla7 From: Dave Garrett <davemgarrett@gmail.com<mailto:davemgarrett@gmail.com>> Date: Thursday, May 21, 2015 at 8:04 PM To: "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients) On Thursday, May 21, 2015 10:56:22 pm Tony Arcieri wrote: On Thu, May 21, 2015 at 7:52 PM, Aaron Zauner <azet@azet.org<mailto:azet@azet.org>> wrote: > So how about that TLSv1-diediedie document? :) I am very much +1 for more diediedie documents ;) I'm certainly not going to argue against that. ;) That said, the RC4 diediedie is getting largely ignored. To actually kill something like this off, it seems to need to be done as a panic response or as a requirement of something new that everyone starts together. (e.g. SSL3 diediedie or old TLS with HTTP/2) Thus was my reasoning for at least attempting to suggest it here. :| Dave _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls ________________________________ CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain confidential information of Five9 and/or its affiliated entities. Access by the intended recipient only is authorized. Any liability arising from any party acting, or refraining from acting, on any information contained in this e-mail is hereby excluded. If you are not the intended recipient, please notify the sender immediately, destroy the original transmission and its attachments and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Copyright in this e-mail and any attachments belongs to Five9 and/or its affiliated entities.
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich