Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Hubert Kario <hkario@redhat.com> Fri, 22 May 2015 10:44 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4062D1ACCC7 for <tls@ietfa.amsl.com>; Fri, 22 May 2015 03:44:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.446
X-Spam-Level:
X-Spam-Status: No, score=-4.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_LOLITA1=1.865, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qX2MxCtqmRqk for <tls@ietfa.amsl.com>; Fri, 22 May 2015 03:44:19 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3FA81AC44D for <tls@ietf.org>; Fri, 22 May 2015 03:44:19 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (Postfix) with ESMTPS id 2D6348EAFB; Fri, 22 May 2015 10:44:19 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-78.ams2.redhat.com [10.36.112.78]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t4MAiEAZ020098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 May 2015 06:44:18 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org, mrex@sap.com
Date: Fri, 22 May 2015 12:44:07 +0200
Message-ID: <2753681.QX1IYUOEOG@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.7 (Linux/3.19.7-200.fc21.x86_64; KDE/4.14.7; x86_64; ; )
In-Reply-To: <20150522074240.EF4501B31B@ld9781.wdf.sap.corp>
References: <20150522074240.EF4501B31B@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2246019.jq7YIAUCfe"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/A5uKRskpvadLNPxwTfiHzGKRXu8>
Cc: "maray@microsoft.com" <maray@microsoft.com>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 10:44:21 -0000

On Friday 22 May 2015 09:42:40 Martin Rex wrote:
> Dave Garrett wrote:
> > On Thursday, May 21, 2015 07:09:42 pm Yoav Nir wrote:
> >> Then point at the BCP. Only problem is that it doesn?t say what you want
> >> it to say (it allows TLS 1.0 when the client does not support anything
> >> else)> 
> > In my first post I said that I don't propose changing anything for
> > existing
> > deployments. The BCP is currently a "SHOULD NOT" for current TLS.
> > I'm proposing a "MUST NOT" for TLS 1.3+ implementations only.
> > 
> > The BCP is also not directly part of the TLS spec. What I'm suggesting is
> > considering 1.0/1.1 to be not legitimate forever, not just not "best".
> 
> All current "recommendations" against TLSv1.0 and TLSv1.1 are well-known
> FUD.
> 
> The difference between TLSv1.0 with 1/(n-1) record splitting and
> TLSv1.1 is cryptographically insignificant and the security of
> TLSv1.2 is lower than both of its precedessors (e.g. throug the
> botched TLS signature extension and the dumb idea to replace
> the md5+sha1 signatures with sha1-only signatures for RSA certificates.

schannel, OpenSSL, NSS and GnuTLS will use at least sha256 if only given 
chance

yes, clients should not be advertising support for sha-1, but it's not an end 
of the world scenario just yet

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic