Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
Yuhong Bao <yuhongbao_386@hotmail.com> Thu, 23 July 2015 17:11 UTC
Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6EA51A212D for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.36
X-Spam-Level:
X-Spam-Status: No, score=-2.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJOFo0s2Eh6Y for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 10:11:11 -0700 (PDT)
Received: from BLU004-OMC3S27.hotmail.com (blu004-omc3s27.hotmail.com [65.55.116.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91AEA1A8764 for <tls@ietf.org>; Thu, 23 Jul 2015 10:11:09 -0700 (PDT)
Received: from BLU177-W35 ([65.55.116.73]) by BLU004-OMC3S27.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 23 Jul 2015 10:11:09 -0700
X-TMN: [PaZkSo0iXcao1ou6ToT8/5S+0MuYudyI]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W3560BE6DA961A5E176BF6BC3820@phx.gbl>
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: "tls@ietf.org" <tls@ietf.org>, "Andrei.Popov@microsoft.com" <andrei.popov@microsoft.com>, "maray@microsoft.com" <maray@microsoft.com>
Date: Thu, 23 Jul 2015 10:11:08 -0700
Importance: Normal
In-Reply-To: <20150723160034.GV4347@mournblade.imrryr.org>
References: <201507221610.27729.davemgarrett@gmail.com>, <1724827.ajpDBsKllU@pintsize.usersys.redhat.com>, <201507231143.46288.davemgarrett@gmail.com>, <20150723160034.GV4347@mournblade.imrryr.org>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Jul 2015 17:11:09.0004 (UTC) FILETIME=[916190C0:01D0C56A]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/J2koz0d6toNdJw73tHOlVmaYl-0>
Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 17:11:13 -0000
It is Windows Server 2003 SMTP service that has this problem. There is a hotfix for it. I had been asking for these fixes to be pushed out and the KB article corrected before Windows Server 2003 ended support. > Date: Thu, 23 Jul 2015 16:00:34 +0000 > From: ietf-dane@dukhovni.org > To: tls@ietf.org > Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93) > > On Thu, Jul 23, 2015 at 11:43:45AM -0400, Dave Garrett wrote: > >> Right now, the restrictions section prohibits: >> RC4, SSL2/3, & EXPORT/NULL entirely (via min bits) >> and has "SHOULD" use TLS 1.3+ compatible with TLS 1.2, if available > > So much for using NULL ciphers for client-server authentication on > loopback interfaces. :-( > > Surely, in at least some cases, making it harder to make mistakes > needs to be addressed in toolkit and application interfaces, not > the protocol. Removing weak algorithms that serve the same use-cases > poorly is fine, but removing non-traditional use-cases is perhaps > too drastic. > >> Plus, "MUST" use DHE or ECDHE for ALL connections, even back to TLS 1.0, >> or abort with a fatal error. > > Who's going to police the Internet to remove all the legacy services? > >> By the way, even IE6 on XP supports DHE. > > But not Exchange server 2003, and various Windows-based email gateway > appliances. > >> If we actually have to care about IE on >> XP, we could state an exception that the only non-PFS cipher suite to be >> permitted on servers for backwards compatibility is >> TLS_RSA_WITH_3DES_EDE_CBC_SHA. > > Exchange 2003 has a broken 3DES implementation. The only working > ciphersuites are RC4-SHA/RC4-MD5. > > And there are surely plenty of legacy system that are neither HTTPS > or email. It sure sounds like the radical surgery is largely for > HTTPS, and should be implemented in web servers and clients, not > the TLS protocol. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] A la carte concerns from IETF 93 Dave Garrett
- Re: [TLS] A la carte concerns from IETF 93 Hubert Kario
- Re: [TLS] A la carte concerns from IETF 93 Ilari Liusvaara
- [TLS] ban more old crap (was: A la carte concerns… Dave Garrett
- Re: [TLS] ban more old crap (was: A la carte conc… Viktor Dukhovni
- Re: [TLS] ban more old crap (was: A la carte conc… Dave Garrett
- Re: [TLS] ban more old crap Stephen Farrell
- Re: [TLS] ban more old crap (was: A la carte conc… Yuhong Bao
- Re: [TLS] ban more old crap Eric Rescorla
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap (was: A la carte conc… Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Ilari Liusvaara
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Yuhong Bao
- Re: [TLS] ban more old crap Ilari Liusvaara
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Salz, Rich
- Re: [TLS] ban more old crap Stephen Farrell
- Re: [TLS] ban more old crap Benjamin Beurdouche
- Re: [TLS] ban more old crap Eric Rescorla
- Re: [TLS] ban more old crap Martin Thomson
- Re: [TLS] ban more old crap Salz, Rich
- Re: [TLS] ban more old crap Martin Thomson
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Viktor Dukhovni