Re: [TLS] drop obsolete SSL 2 backwards compatibility and prohibit SSL3 negotiation in TLS 1.3 draft
Dave Garrett <davemgarrett@gmail.com> Wed, 24 December 2014 01:46 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCBC41A8834 for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 17:46:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pCB4MMSfU_F for <tls@ietfa.amsl.com>; Tue, 23 Dec 2014 17:46:23 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 284271A6FF1 for <tls@ietf.org>; Tue, 23 Dec 2014 17:46:23 -0800 (PST)
Received: by mail-qg0-f41.google.com with SMTP id e89so3497252qgf.0 for <tls@ietf.org>; Tue, 23 Dec 2014 17:46:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:references:in-reply-to:cc :mime-version:content-type:content-transfer-encoding:message-id; bh=B3kjKorMScAFuSE/vI5lZBPNvb5fvwdEWaL+C15XJJ0=; b=iyI8t4NX6OMVV4mMy4rdQNF23rTJL20CoYKxI8rnXY091+kZJf+tzQ3qSsBLAXYEsr dwE6+kg4BouZV4djDUIkykuqK7PWGNGXgRwdjwsPvCAL0mrLKM7C2xQL5CV58daWuHZi eG3uyahGd7RaFL8RWcXwnkpeJ+BRF64vz3gjxyTRVgdStXWSMvcWqaCl6r8vwIfm6dSD Q088t8i12smpM5nlo9NAvrCPnsI5NCfLzXq9K5c1sXoAQcu6bB+51Z7jP5I0NLZbEHjS 5Dhw6e6tc+UenbPyjVpIv1kfIOlf4b57VZHWDNOzYz3YC4DhOQj0Wq5eKG3kJK0/ewcz 2Hvg==
X-Received: by 10.224.42.202 with SMTP id t10mr50271689qae.21.1419385582404; Tue, 23 Dec 2014 17:46:22 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id q68sm20308353qgq.0.2014.12.23.17.46.21 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 23 Dec 2014 17:46:21 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Brian Smith <brian@briansmith.org>
Date: Tue, 23 Dec 2014 20:46:20 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <201412221945.35644.davemgarrett@gmail.com> <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
In-Reply-To: <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201412232046.20657.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/GTid5aNR-9lcw9QpIzy3M7avfk4
X-Mailman-Approved-At: Fri, 26 Dec 2014 08:23:03 -0800
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility and prohibit SSL3 negotiation in TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 01:46:25 -0000
On Tuesday, December 23, 2014 04:51:40 pm Brian wrote: > Dave Garrett <davemgarrett@gmail.com> wrote: > > The PR replaces the section with a simple "MUST NOT" send or accept for > > TLS 1.3 implementations. > > It would be best to have your change do exactly that, by shortening > the remaining text to: > > Implementations MUST NOT send or accept an SSL > version 2.0 compatible CLIENT-HELLO. Implementations > MUST NOT send or accept TLS records with a version > less than { 3, 0 }. > > Note the suggestion to use the term "records" instead of "messages". I've updated the language for SSL2 based on your suggestions and have added in new language to prohibit SSL3 negotiation. Specifically, I'm using wording based on: https://tools.ietf.org/html/draft-ietf-tls-sslv3-diediedie-00 This would have SSL2 connections attempts be ignored and SSL3 connection attempts be refused. Dave PS I do hope the SSL3 "diediedie" name stays around until RFC, as it so nicely carries the appropriate sentiment. ;)
- [TLS] drop obsolete SSL 2 backwards compatibility… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- [TLS] explicitly specify ClientHello record versi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Jeffrey Walton
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Fabrice
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Watson Ladd
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Thomson
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Peter Gutmann
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Daniel Kahn Gillmor
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Andrei Popov
- [TLS] Downgrade Dance steps (Re: drop obsolete SS… Martin Rex
- Re: [TLS] Downgrade Dance steps (Re: drop obsolet… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao