Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Yoav Nir <ynir.ietf@gmail.com> Wed, 24 December 2014 08:18 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4DB1ACD64 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:18:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeNuzG3sJ1pD for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:18:27 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52F3D1ACD5D for <tls@ietf.org>; Wed, 24 Dec 2014 00:18:27 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id h11so12910917wiw.1 for <tls@ietf.org>; Wed, 24 Dec 2014 00:18:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=c9kgcfXf+RZqVh6vVHv0T6Xv3MxZvt4GFnKj6XrBpTc=; b=hNIz8yy6/0bSK/ayODW6Hxkq+IWaXWNgSfFwquvM+zNOGay6g5+qLg4mBbqiPoggMw xNrHaEk/kKnTh17/glJeguFdvL7y+jtMcczzNAODxnAXUkMaI1cT0K+IklVp8qRz4qbq hqCSS4ddpF1U/0+fzZYshaEt/gaOfE9+hx0+AEI+cnCZcwUOdDQ521r4JTmkDA5u4Pvd MwwnFLgNmdfM9YQoPWsaWmxy9bJ9Kd0F+HpjKIHwUEm/BuBFw7W4FfBYQsWcu9vL9e9V JBsG4Tx/TsLVZP2viZ8RCkhETLLD+uGbF81JRB4XpqMJnS2eLGXI6P8ZsDaMA7IeUE/j RZbA==
X-Received: by 10.180.206.229 with SMTP id lr5mr49125143wic.74.1419409106176; Wed, 24 Dec 2014 00:18:26 -0800 (PST)
Received: from [172.24.249.55] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id 18sm30666748wjr.46.2014.12.24.00.18.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Dec 2014 00:18:25 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <201412240223.46107.davemgarrett@gmail.com>
Date: Wed, 24 Dec 2014 10:18:22 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <D631F5FE-C56E-46D2-B17F-0216992C5D4C@gmail.com>
References: <201412221945.35644.davemgarrett@gmail.com> <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com> <201412240223.46107.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Dg9pntazeCfzewOvzyaMdYTHXf8
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 08:18:29 -0000

> On Dec 24, 2014, at 9:23 AM, Dave Garrett <davemgarrett@gmail.com>; wrote:
> 
> On Wednesday, December 24, 2014 01:40:10 am you wrote:
>>> There's no reason to maintain any backwards support here just for
>>> Internet Explorer 2.0 on Windows 3.1.
>> 
>> I’m not objecting to the change, but I am objecting to the hyperbole. The
>> issue is with Internet Explorer 6 on Windows XP, which still exists, but
>> more importantly, a lot of web service clients running on top of Windows
>> XP use the same SCHANNEL library as IE would use, so they issue a SSLv2
>> ClientHello. Despite Microsoft’s best efforts, there is still a
>> substantial but diminishing install base of XP.
> 
> I was not aware Microsoft used an SSL2 ClientHello for SSL3. Thanks for pointing 
> that out. Is it not capable of sending an SSL3/TLS Hello at all? If it were 
> properly configured to enable TLS1 and disable SSL2/3, would it send the proper 
> TLS compatible Hello? (Microsoft really should've pushed an XP update to flip 
> that switch years ago)

Yes. From the control panel you clicked “Internet Options”, and that had a tab for security, but it wasn’t there. Instead, it was in the tab for advanced, which had a bunch of options, some related to security, but it was under “encryption”, not security. There were checkboxes for support of SSLv2, SSLv3, and TLS 1.0.  By default the SSLv2 and SSLv3 checkboxes were checked, while the TLS 1.0 box was unchecked. To get rid of the SSLv2 ClientHello you had to uncheck the SSLv2. I don’t think the kind of people who still use Windows XP are the same ones who would go into the settings to disable SSLv2. 

I might have some of the details wrong. It’s been a few years since I last set Internet Options on a Windows XP box.

Yoav