IETF Logo Mail Archive

Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Kurt Roeckx <kurt@roeckx.be> Sun, 28 December 2014 10:43 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE901ACF15 for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 02:43:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAoZpTgwfx3T for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 02:43:52 -0800 (PST)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7411ACF0B for <tls@ietf.org>; Sun, 28 Dec 2014 02:43:51 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 8257C1C211B; Sun, 28 Dec 2014 11:43:49 +0100 (CET)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 3F5831FE00B3; Sun, 28 Dec 2014 11:43:48 +0100 (CET)
Date: Sun, 28 Dec 2014 11:43:48 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Fabrice <fabrice.gautier@gmail.com>
Message-ID: <20141228104348.GA19183@roeckx.be>
References: <201412221945.35644.davemgarrett@gmail.com> <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com> <549F2D90.5030305@hauke-m.de> <32B9010C-C209-4D55-9AEA-5BC3EBE738A3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <32B9010C-C209-4D55-9AEA-5BC3EBE738A3@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4xdY8lAKL7vqqvd0qsm34532B38
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>, Dave Garrett <davemgarrett@gmail.com>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Dec 2014 10:43:53 -0000

On Sat, Dec 27, 2014 at 02:59:02PM -0800, Fabrice wrote:
> 
> openssl s_client, is also using a SSLv2 hello unless the -no_ssl2 option is used.

This was changed in OpenSSL 1.0.0.  The default cipher list
dropped SSLv2 ciphers and it would only use an SSLv2 compatible
client hello in case the cipher list didn't include an SSLv2
cipher and there aren't any extentions.  OpenSSL 0.9.8
unfurtuantly is still a supported version but we've announce
end of line for the end of next year.


Kurt

v2.23.0 | Report a Bug | By Email