Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Dave Garrett <davemgarrett@gmail.com> Fri, 22 May 2015 03:15 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58731A9090 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPZHUW5T-KlL for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:14:59 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9454D1A908F for <tls@ietf.org>; Thu, 21 May 2015 20:14:59 -0700 (PDT)
Received: by qkx62 with SMTP id 62so4091081qkx.3 for <tls@ietf.org>; Thu, 21 May 2015 20:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=ce1FxXIzIzyVfZmAj4wrFqTziiUhv92bonLFaUf2KwA=; b=wZY8iVxnP2qQSeSv96KNvqt92pB7mrLYMRuJj+DKnBuspMplv/jrDfiyMwjNemMYri QxcKDcR3Jq+sGj/dtF+ETiLXRLBPDo9fky8d6bvR+8NlGq2X2R972XAo/+/kxlSpkkpa ibxLi1boaJkxwB53O7XNRPleG7BIjyY+YacK+ZDpofShCveMbub6ojg461a+hBEWyKT7 qkZtwMMhXHCjC82KBhcg/jvx5uW237dpuzt1VMNvxNFu0Tqg2c+7O6xL6Gsn33Cz9Pzm SDdXInrabPS2o1JQEK3ohJa9H5sCWmM23gN7oK/0/kt0owD1LG8fcAQo1H5yk/M4Yqva 3qSQ==
X-Received: by 10.140.108.195 with SMTP id j61mr8212266qgf.83.1432264498869; Thu, 21 May 2015 20:14:58 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id j60sm537385qge.38.2015.05.21.20.14.58 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 May 2015 20:14:58 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 21 May 2015 23:14:57 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201505211210.43060.davemgarrett@gmail.com> <201505212304.11513.davemgarrett@gmail.com> <CABkgnnWa=VvYR4cWDZAi-suaezvLCcBW1+QUSeGu4LJ6A22y8A@mail.gmail.com>
In-Reply-To: <CABkgnnWa=VvYR4cWDZAi-suaezvLCcBW1+QUSeGu4LJ6A22y8A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201505212314.57525.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Edt4zh5U9-1o0XJ4hzuo8R9jKA8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 03:15:01 -0000
On Thursday, May 21, 2015 11:06:36 pm Martin Thomson wrote: > On 21 May 2015 at 20:04, Dave Garrett <davemgarrett@gmail.com> wrote: > > That said, the RC4 diediedie is getting largely ignored. > > That's not true. I think that you expect something as large as the > Internet to move on timescales that just aren't feasible. There's an > entire supply chain that has to move here. Fair enough; ignored is not the right word. I should say instead that I have not seen a change nearly on the scale of the SSL3 RFC. Those who were in the process of phasing out RC4 are still doing so at a comparable pace. Browsers were willing to accept breakage for SSL3, but they're not yet ready for RC4. In comparison it appears to have had less effect, at least so far. This will, of course, hopefully change.
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich