IETF Logo Mail Archive

Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)

Yuhong Bao <yuhongbao_386@hotmail.com> Thu, 23 July 2015 17:11 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6EA51A212D for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.36
X-Spam-Level:
X-Spam-Status: No, score=-2.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJOFo0s2Eh6Y for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:11:11 -0700 (PDT)
Received: from BLU004-OMC3S27.hotmail.com (blu004-omc3s27.hotmail.com [65.55.116.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91AEA1A8764 for <tls@ietf.org>; Thu, 23 Jul 2015 10:11:09 -0700 (PDT)
Received: from BLU177-W35 ([65.55.116.73]) by BLU004-OMC3S27.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 23 Jul 2015 10:11:09 -0700
X-TMN: [PaZkSo0iXcao1ou6ToT8/5S+0MuYudyI]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W3560BE6DA961A5E176BF6BC3820@phx.gbl>
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: "tls@ietf.org" <tls@ietf.org>, "Andrei.Popov@microsoft.com" <andrei.popov@microsoft.com>, "maray@microsoft.com" <maray@microsoft.com>
Date: Thu, 23 Jul 2015 10:11:08 -0700
Importance: Normal
In-Reply-To: <20150723160034.GV4347@mournblade.imrryr.org>
References: <201507221610.27729.davemgarrett@gmail.com>, <1724827.ajpDBsKllU@pintsize.usersys.redhat.com>, <201507231143.46288.davemgarrett@gmail.com>, <20150723160034.GV4347@mournblade.imrryr.org>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Jul 2015 17:11:09.0004 (UTC) FILETIME=[916190C0:01D0C56A]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/J2koz0d6toNdJw73tHOlVmaYl-0>
Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 17:11:13 -0000



It is Windows Server 2003 SMTP service that has this problem.
There is a hotfix for it.
I had been asking for these fixes to be pushed out and the KB article corrected before Windows Server 2003 ended support.

> Date: Thu, 23 Jul 2015 16:00:34 +0000
> From: ietf-dane@dukhovni.org
> To: tls@ietf.org
> Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
> 
> On Thu, Jul 23, 2015 at 11:43:45AM -0400, Dave Garrett wrote:
> 
>> Right now, the restrictions section prohibits:
>> RC4, SSL2/3, & EXPORT/NULL entirely (via min bits)
>> and has "SHOULD" use TLS 1.3+ compatible with TLS 1.2, if available
> 
> So much for using NULL ciphers for client-server authentication on
> loopback interfaces. :-(
> 
> Surely, in at least some cases, making it harder to make mistakes
> needs to be addressed in toolkit and application interfaces, not
> the protocol. Removing weak algorithms that serve the same use-cases
> poorly is fine, but removing non-traditional use-cases is perhaps
> too drastic.
> 
>> Plus, "MUST" use DHE or ECDHE for ALL connections, even back to TLS 1.0,
>> or abort with a fatal error.
> 
> Who's going to police the Internet to remove all the legacy services?
> 
>> By the way, even IE6 on XP supports DHE.
> 
> But not Exchange server 2003, and various Windows-based email gateway
> appliances.
> 
>> If we actually have to care about IE on
>> XP, we could state an exception that the only non-PFS cipher suite to be
>> permitted on servers for backwards compatibility is
>> TLS_RSA_WITH_3DES_EDE_CBC_SHA.
> 
> Exchange 2003 has a broken 3DES implementation. The only working
> ciphersuites are RC4-SHA/RC4-MD5.
> 
> And there are surely plenty of legacy system that are neither HTTPS
> or email. It sure sounds like the radical surgery is largely for
> HTTPS, and should be implemented in web servers and clients, not
> the TLS protocol.
> 
> -- 
> Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email