Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Dave Garrett <davemgarrett@gmail.com> Wed, 24 December 2014 07:23 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0A51ACCE6 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 23:23:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4XzTKonkHWbA for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 23:23:48 -0800 (PST)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ED411A1A2F for <tls@ietf.org>; Tue, 23 Dec 2014 23:23:48 -0800 (PST)
Received: by mail-qg0-f42.google.com with SMTP id q108so5549809qgd.15 for <tls@ietf.org>; Tue, 23 Dec 2014 23:23:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:references:in-reply-to:cc :mime-version:content-type:content-transfer-encoding:message-id; bh=RtT6Ei7Po+EcqGKQdAxPNWIp0AliIjcWR5p/bG6X5SI=; b=QxYBETuVq+M+gSOodynnq0CvPDS2ahEfI8pHH7UvJAdHofuOuJnvlw8eyVYSHkv1wX 9wIagFHCY9UWKZjfOOxkxtuzVciNGT9C/fRigjag2Bz2FSnSscNjVwdUI228RHu6Dg/9 V063r+ffZrRMithfLB7NTtBYiRI2QKzAv2vZ95iGQO5YYxtmnemuUlnKT3vcJXCuwzT8 0lie7t2Rf43C4V2wubn5B4oniAgdkk6OGXA1Xs8xAzjw9G0CakS5AI93yPj7zw7AXTe0 7d10vcQZAtBr7sq3Ri0eB/pr223T6yB/nSBlFjz6o9Qpa7bhGkmzHDzFu/vFPuNVXOS1 mbbQ==
X-Received: by 10.140.81.73 with SMTP id e67mr30316372qgd.90.1419405827808; Tue, 23 Dec 2014 23:23:47 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id k9sm20862212qaj.7.2014.12.23.23.23.47 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 23 Dec 2014 23:23:47 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 24 Dec 2014 02:23:45 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <201412221945.35644.davemgarrett@gmail.com> <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com>
In-Reply-To: <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201412240223.46107.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9T3Sg4gPrcD53xqpzBxvQZP9jDU
X-Mailman-Approved-At: Fri, 26 Dec 2014 08:23:02 -0800
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 07:23:50 -0000

On Wednesday, December 24, 2014 01:40:10 am you wrote:
> > There's no reason to maintain any backwards support here just for
> > Internet Explorer 2.0 on Windows 3.1.
> 
> I’m not objecting to the change, but I am objecting to the hyperbole. The
> issue is with Internet Explorer 6 on Windows XP, which still exists, but
> more importantly, a lot of web service clients running on top of Windows
> XP use the same SCHANNEL library as IE would use, so they issue a SSLv2
> ClientHello. Despite Microsoft’s best efforts, there is still a
> substantial but diminishing install base of XP.

I was not aware Microsoft used an SSL2 ClientHello for SSL3. Thanks for pointing 
that out. Is it not capable of sending an SSL3/TLS Hello at all? If it were 
properly configured to enable TLS1 and disable SSL2/3, would it send the proper 
TLS compatible Hello? (Microsoft really should've pushed an XP update to flip 
that switch years ago)

> It’s fine for us to break compatibility with these clients, but let’s not
> pretend it’s some ancient technology that doesn’t exist in the market
> anymore.
> 
> Yoav

Sad, but I guess that's true. :/


Dave