Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

mrex@sap.com (Martin Rex) Fri, 22 May 2015 07:42 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1671ACE4B for <tls@ietfa.amsl.com>; Fri, 22 May 2015 00:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.086
X-Spam-Level:
X-Spam-Status: No, score=-4.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_LOLITA1=1.865, HELO_EQ_DE=0.35, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrcJq-vFzqa0 for <tls@ietfa.amsl.com>; Fri, 22 May 2015 00:42:43 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CB411ACE46 for <tls@ietf.org>; Fri, 22 May 2015 00:42:42 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 1B0462A674; Fri, 22 May 2015 09:42:41 +0200 (CEST)
X-purgate-ID: 152705::1432280561-00000B48-200E14DA/0/0
X-purgate-size: 1453
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 0651F413CE; Fri, 22 May 2015 09:42:41 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id EF4501B31B; Fri, 22 May 2015 09:42:40 +0200 (CEST)
In-Reply-To: <201505211920.22236.davemgarrett@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Date: Fri, 22 May 2015 09:42:40 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150522074240.EF4501B31B@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Fwsk9fBJJIa-ujvo-HkEBb1jyVQ>
Cc: "maray@microsoft.com" <maray@microsoft.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 07:42:45 -0000

Dave Garrett wrote:
> On Thursday, May 21, 2015 07:09:42 pm Yoav Nir wrote:
>> Then point at the BCP. Only problem is that it doesn?t say what you want
>> it to say (it allows TLS 1.0 when the client does not support anything else)
> 
> In my first post I said that I don't propose changing anything for existing
> deployments. The BCP is currently a "SHOULD NOT" for current TLS.
> I'm proposing a "MUST NOT" for TLS 1.3+ implementations only.
> 
> The BCP is also not directly part of the TLS spec. What I'm suggesting is
> considering 1.0/1.1 to be not legitimate forever, not just not "best".

All current "recommendations" against TLSv1.0 and TLSv1.1 are well-known FUD.

The difference between TLSv1.0 with 1/(n-1) record splitting and
TLSv1.1 is cryptographically insignificant and the security of
TLSv1.2 is lower than both of its precedessors (e.g. throug the
botched TLS signature extension and the dumb idea to replace
the md5+sha1 signatures with sha1-only signatures for RSA certificates.

For the mandatory to implement TLSv1.2 cipher suite, TLSv1.0 and TLSv1.1
are just fine.  AEAD cipher suites are not part of TLSv1.2, they're
a mere optional add-on that is artificially limited to TLSv1.2, and a
number of TLSv1.2 implementations do not support AEAD cipher suites.

Same for Elliptic Curve.  It's optional, and to date, it is not even
standards track.  Many TLS implementations do implement EC.


-Martin