Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Dave Garrett <> Thu, 21 May 2015 23:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BB7031A8902 for <>; Thu, 21 May 2015 16:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZJTtCZd1P6co for <>; Thu, 21 May 2015 16:04:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3CC641A897F for <>; Thu, 21 May 2015 16:03:06 -0700 (PDT)
Received: by qcblr10 with SMTP id lr10so1038808qcb.0 for <>; Thu, 21 May 2015 16:03:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=C4t12ofM2Y43ZsUAfqumuY0XA5OcUIcpPUSkzaWr+JE=; b=bK290giu0Hosp98gaGl2R6xkDsbReV2zQSEdKyHzfPEv2+xRud1vPnbsllDLo9GtAH IkGVYVhRYMgW5wfPAzPMX/CTk4zBORC8oXWKkHC5/dd3Ce9mWrSIrg5smz/64BUqXzWK xxtWjHrmQUuzBQrn4aPf1gko/090sldTPr2/z9UgqsmcGoxpzLOranfqqo7c4w6Swisv RMVTH2RL9Uyedchya8/J8DlSJYVZFBZfHXO4v1n5vYtNTyiMBSC+AGJNzzu5H9z2Gmys LMdiMyGidAbzX4lFlOZPirUICbgQcsZVMOEEBVyFSCng09nsd/svgO618+MRlkb0gLjR UPTw==
X-Received: by with SMTP id h141mr7587704qhc.77.1432249385448; Thu, 21 May 2015 16:03:05 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id c20sm202679qka.21.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 May 2015 16:03:04 -0700 (PDT)
From: Dave Garrett <>
To: Yoav Nir <>
Date: Thu, 21 May 2015 19:03:03 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Cc: "" <>, "" <>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2015 23:04:06 -0000

On Thursday, May 21, 2015 06:34:08 pm Yoav Nir wrote:
> > On May 22, 2015, at 1:16 AM, Dave Garrett <> wrote:
> > On Thursday, May 21, 2015 05:50:26 pm Yoav Nir wrote:
> >> According to Windows XP is still 16% of desktops/laptops (as measured by web traffic). Add some older mac OS X versions and you reach 17%. Even mobile has some older versions. What this is proposing is to require servers to cut all of those off as a pre-requisite to supporting TLS 1.3.
> > 
> > Windows XP & old Mac OS X users can install Mozilla Firefox or Google Chrome (or one of the browsers based on one). It's just the built in browser that won't work because the vendor dropped support.
> And you are proposing that we force them to do this? Worse, you are proposing that we deputize all server operators in forcing them to replace their browser?

Force them to not use IE8? Oh, the humanity.

I'm saying it's a joke to say a server is secure when it still knowingly supports a security protocol from 16 years ago that has been replaced 3 times over. (2, prior to 1.3) At minimum, I'm saying a server that actually does that shouldn't be allowed to pretend it's compliant with modern security standards.

Every time there's some new catastrophic vulnerability that's discovered (but of course, always existed) that involves some decade plus old junk, people feign surprise and slowly get around to dealing with the issue. This latest weak DH issue has been known to exist in some form for years, yet now, all of a sudden, we're bothering to deal with it because someone found out it was worse. There are trivial measures that, whilst having massive consequences, can be done proactively with real effect. Agreeing to disable protocols leftover from the '90s is a start. We know TLS 1.0 and 1.1 are not as secure as they should be, that's why TLS 1.2 exists and why TLS 1.3 is being designed. It's not some secret; they were replaced for legitimate reasons that we should stop ignoring if we want this protocol to have legitimacy.

I'd like to be able to point to the TLS 1.3 spec and tell people that servers implementing it are as secure as we currently know how to make them, which is just not true unless their weakest link isn't obsolete crap.