IETF Logo Mail Archive

Re: [TLS] Deprecating SSLv3

mrex@sap.com (Martin Rex) Mon, 24 November 2014 15:59 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 618741A6FB0 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 07:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.55
X-Spam-Level:
X-Spam-Status: No, score=-6.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12chv6SFpP27 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 07:59:41 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4416D1A6FF3 for <tls@ietf.org>; Mon, 24 Nov 2014 07:59:38 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 994923A1C3; Mon, 24 Nov 2014 16:59:35 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 5DFD841C4F; Mon, 24 Nov 2014 16:59:35 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 51E0C1B004; Mon, 24 Nov 2014 16:59:35 +0100 (CET)
In-Reply-To: <1723354.osyxesJJiI@pintsize.usersys.redhat.com>
To: Hubert Kario <hkario@redhat.com>
Date: Mon, 24 Nov 2014 16:59:35 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20141124155935.51E0C1B004@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9Z5ABIJLV4MjliDa3oR6Q4wSi8w
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecating SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 15:59:45 -0000

Hubert Kario wrote:
> 
> I've extended the scanner to try more fallbacks when testing (retry with a 
> much smaller client hello) and the stats for this month look like this:
> 
> Supported Protocols       Count     Percent
> -------------------------+---------+-------
> SSL2                      38835     8.7934
> SSL2 Only                 100       0.0226
> SSL3                      204062    46.2059
> SSL3 Only                 2195      0.497
> SSL3 or TLS1 Only         108575    24.5847
> SSL3 or lower Only        2293      0.5192
> TLS1                      438481    99.2856
> TLS1 Only                 46428     10.5127
> TLS1 or lower Only        143729    32.5447
> TLS1.1                    281522    63.7453
> TLS1.1 Only               25        0.0057
> TLS1.1 or up Only         443       0.1003
> TLS1.2                    292517    66.2349
> TLS1.2 Only               337       0.0763
> TLS1.2, 1.0 but not 1.1   13585     3.0761

How do TLS extension support fit into your picture?

Just a few days ago I was working on a customer message about interop
problems with a Business-2-Business scenario, and the Server that is used
seems to be an extensions-intolerant TLSv1.0 server.  The server is OK
with ClientHello.client_version = { 3, 3 }, but when ClientHello includes
any TLS extensions, it will abort with a fatal unexpected_message(10) alert.

 (the Website is http://www.elemica.com,
   the service(s) are on https://preprod.connect.elemica.com:5443
                     and https://connect.elemica.com:5443
   authentication is by TLS client certificate, but you'll see the
   TLS extensions intolerance by the fatal alert response to ClientHello.


> 
> I think we can safely banish a protocol that only 0.5% of servers require for
> interoperability.

Maybe you can, but I can not.  The support load would still be prohibitive.



> 
> Regarding the SSLv3 MUST NOT: we have to remember that we're talking about a 
> security protocol *used* for security. In such context SSLv3 should not be 
> used.
> 
> Just like MD5 use for digital signatures is completely broken but is 
> completely fine to use it as a checksum to verify proper download of a file 
> over internet (people use CRC32 for that!), use of SSLv3 for interop is fine, 
> but not if it is used for confidentiality.

You might not be aware of it, but there is only one TLS protocol version
that allows digital signatures with md5WithRsaEncryption, and that is TLSv1.2.


-Martin

v2.14.0 | Report a Bug | By Email