Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Dave Garrett <davemgarrett@gmail.com> Fri, 22 May 2015 03:15 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58731A9090 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPZHUW5T-KlL for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:14:59 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9454D1A908F for <tls@ietf.org>; Thu, 21 May 2015 20:14:59 -0700 (PDT)
Received: by qkx62 with SMTP id 62so4091081qkx.3 for <tls@ietf.org>; Thu, 21 May 2015 20:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=ce1FxXIzIzyVfZmAj4wrFqTziiUhv92bonLFaUf2KwA=; b=wZY8iVxnP2qQSeSv96KNvqt92pB7mrLYMRuJj+DKnBuspMplv/jrDfiyMwjNemMYri QxcKDcR3Jq+sGj/dtF+ETiLXRLBPDo9fky8d6bvR+8NlGq2X2R972XAo/+/kxlSpkkpa ibxLi1boaJkxwB53O7XNRPleG7BIjyY+YacK+ZDpofShCveMbub6ojg461a+hBEWyKT7 qkZtwMMhXHCjC82KBhcg/jvx5uW237dpuzt1VMNvxNFu0Tqg2c+7O6xL6Gsn33Cz9Pzm SDdXInrabPS2o1JQEK3ohJa9H5sCWmM23gN7oK/0/kt0owD1LG8fcAQo1H5yk/M4Yqva 3qSQ==
X-Received: by 10.140.108.195 with SMTP id j61mr8212266qgf.83.1432264498869; Thu, 21 May 2015 20:14:58 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id j60sm537385qge.38.2015.05.21.20.14.58 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 May 2015 20:14:58 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 21 May 2015 23:14:57 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201505211210.43060.davemgarrett@gmail.com> <201505212304.11513.davemgarrett@gmail.com> <CABkgnnWa=VvYR4cWDZAi-suaezvLCcBW1+QUSeGu4LJ6A22y8A@mail.gmail.com>
In-Reply-To: <CABkgnnWa=VvYR4cWDZAi-suaezvLCcBW1+QUSeGu4LJ6A22y8A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201505212314.57525.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Edt4zh5U9-1o0XJ4hzuo8R9jKA8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 03:15:01 -0000

On Thursday, May 21, 2015 11:06:36 pm Martin Thomson wrote:
> On 21 May 2015 at 20:04, Dave Garrett <davemgarrett@gmail.com>; wrote:
> > That said, the RC4 diediedie is getting largely ignored.
> 
> That's not true.  I think that you expect something as large as the
> Internet to move on timescales that just aren't feasible.  There's an
> entire supply chain that has to move here.

Fair enough; ignored is not the right word.

I should say instead that I have not seen a change nearly on the scale of the SSL3 RFC. Those who were in the process of phasing out RC4 are still doing so at a comparable pace. Browsers were willing to accept breakage for SSL3, but they're not yet ready for RC4. In comparison it appears to have had less effect, at least so far. This will, of course, hopefully change.