Re: [TLS] Mail regarding draft-ietf-tls-tls13

Ben Personick <ben.personick@iongroup.com> Tue, 19 June 2018 17:10 UTC

Return-Path: <ben.personick@iongroup.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8FA131185 for <tls@ietfa.amsl.com>; Tue, 19 Jun 2018 10:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iontradingcom.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0SIeOEa_ErXq for <tls@ietfa.amsl.com>; Tue, 19 Jun 2018 10:10:45 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0087.outbound.protection.outlook.com [104.47.32.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8D9A130DE3 for <tls@ietf.org>; Tue, 19 Jun 2018 10:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iontradingcom.onmicrosoft.com; s=selector1-iongroup-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H576XFz7oiBnPHASbyTaRepHfnr9Hi+71nyHEW+R0fY=; b=lWkON3R35grPZcFOCKGY2wg3cZxvMayf8hUm0QaxKxi7tjdg2AI5iGO7E7ii+RHVvQd626xpesUB7jzRYqi4uvcIlApetaEUOFc1hv1bQUpwx6IVj+MiFGnEmxD1R23aSGgF+jD0yz6YBV2/vCM4Y0fz8HjoxiRodfjCgDH+7VA=
Received: from BN7PR14MB2356.namprd14.prod.outlook.com (20.176.22.33) by BN7PR14MB2259.namprd14.prod.outlook.com (20.176.20.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.17; Tue, 19 Jun 2018 17:10:44 +0000
Received: from BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7]) by BN7PR14MB2356.namprd14.prod.outlook.com ([fe80::ac24:4123:784d:29f7%3]) with mapi id 15.20.0863.016; Tue, 19 Jun 2018 17:10:44 +0000
From: Ben Personick <ben.personick@iongroup.com>
To: TLS WG <tls@ietf.org>
Thread-Topic: [TLS] Mail regarding draft-ietf-tls-tls13
Thread-Index: AdQCh415dfE0g1svTxONss1UmLapVwDZCf0AAEaFOTYABw3aAAAFfUx5ACnK6wAAAAMfcAAEMq6AAAAe2Bo=
Date: Tue, 19 Jun 2018 17:10:44 +0000
Message-ID: <cccd915d-bf8d-43ec-b999-29c436c9b522@iongroup.com>
References: <BN7PR14MB23560D791932A8CB164C592D917F0@BN7PR14MB2356.namprd14.prod.outlook.com> <897AC345-0832-4252-9D96-5A030CBEAD25@dukhovni.org> <cc5fe1d8-b065-4f30-8b76-57714aea1949@iongroup.com> <7D370F20-3C5C-4347-9EA3-3F0F61458377@dukhovni.org> <5fdded19-da5c-4d23-a0e3-e4e9e905f7aa@iongroup.com> <085E5CF6-0879-48DE-A8C5-A3C8F5C48F86@akamai.com> <BN7PR14MB2356778AD43FDB1ED5F229D591700@BN7PR14MB2356.namprd14.prod.outlook.com>, <B3358762-851E-451A-8E05-206FA932DB01@dukhovni.org>
In-Reply-To: <B3358762-851E-451A-8E05-206FA932DB01@dukhovni.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ben.personick@iongroup.com;
x-originating-ip: [38.108.249.203]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2259; 7:yR4Dh/E4kV+9CxwJAy6x2W+82oURZFccej4X6FdbRAiHl40SMGzRbML0SIoc0S0m50yjLh/hApfixabJVLvtBTWtVwhWNSeQYCpOAfQnEnboHMo9SJX+tNLs8/KoLtyXVUbneAGkVdvapicndb/LfJ6yU5Fvj2nXlAfgQJyRqnyBLeW8VanWKTghZyLKKO2OeH/QFH0cVBf0ZaY5X5xmmNfY5K42MzdiNdMPmRPiHzuP6PXB7W69ETz0TYMlZudj
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ccb5b1d6-c01d-4f8a-1e70-08d5d60797ce
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2259;
x-ms-traffictypediagnostic: BN7PR14MB2259:
x-microsoft-antispam-prvs: <BN7PR14MB225917BADDA3F1C47077BD9791700@BN7PR14MB2259.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231254)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:BN7PR14MB2259; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2259;
x-forefront-prvs: 07083FF734
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(39380400002)(346002)(376002)(366004)(396003)(189003)(199004)(8936002)(2906002)(2900100001)(2616005)(6436002)(8676002)(476003)(11346002)(3660700001)(6246003)(81166006)(53936002)(97736004)(446003)(66066001)(36756003)(31696002)(81156014)(25786009)(6512007)(86362001)(3280700002)(54896002)(316002)(76176011)(93886005)(105586002)(486006)(5660300001)(229853002)(6116002)(6916009)(106356001)(102836004)(6506007)(59450400001)(478600001)(3846002)(186003)(99286004)(26005)(7736002)(5250100002)(14454004)(68736007)(6486002)(31686004)(53546011)(44832011); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR14MB2259; H:BN7PR14MB2356.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: iongroup.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ar1noD262t5KuwhMqoGi0C8OU5tgJal+toPB75fFqJyuLE5sG5Vjp5sUlhcBGc4tY9+IA2Gb71fElDT7yJmNU2tqLR6T/I5LMaBnHqPAfHw0YWXs3zx/aRZZ9BXQ5k60sY/RWjofR/MnFfZf604RUs8YjsHu2sUojiBQJeuTFralRf4q951RfuuJYKTdV6jWogDoPAZp0VPtpJE5qeAnxw0O7ATGMVz0edgyVS0TH8i30dQI7h8oUaAqCLsqhFpvPzWoXc25O0FNItMW/N2EisC2QUbpq2QBJKwSxNjYJxAPlrQxIn9VHXcFhu74aqJBsOmjWFFJGN0BIIGKXhPYZA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_cccd915dbf8d43ecb99929c436c9b522iongroupcom_"
MIME-Version: 1.0
X-OriginatorOrg: iongroup.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ccb5b1d6-c01d-4f8a-1e70-08d5d60797ce
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2018 17:10:44.1838 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 768fe7d4-ebee-41a7-9851-d5825ecdd396
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2259
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KuVuvHET1ecySXL6JoCMOavHnf4>
X-Mailman-Approved-At: Wed, 20 Jun 2018 17:02:19 -0700
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 17:10:49 -0000

Hi Victor,

  We've never supported DHE, and are skipping it to ECDHE as DHE is considered by our security scans to be too insecure (as our LB's implementation is capped at 1024 bit ephemerals)

________________________________
From: Viktor Dukhovni <ietf-dane@dukhovni.org>;
Sent: Tuesday, June 19, 2018 1:07 PM
To: Ben Personick
Cc: TLS WG
Subject: Re: [TLS] Mail regarding draft-ietf-tls-tls13



> On Jun 19, 2018, at 11:17 AM, Ben Personick <ben.personick@iongroup.com>; wrote:
>
>   Yes, I meant ECDHE_ECDSA and ECDHE_RSA are both supported in TLS 1.3, I’d been lead to believe that all RSA based ciphers were not supported.
>
>  Having seem some further responses, it appears it is only the NON ECDHE RSA Based ciphers which are having support dropped in TLS 1.3

I may have been too cryptic.  When I wrote (EC)DHE I meant both DHE and ECDHE.
However, some (early) implementations may only support ECDHE with TLS 1.3.
IIRC, OpenSSL 1.1.1 does not yet support the TLS 1.3 DHE groups.  So
interoperability if you only support DHE may be problematic.

--
        Viktor.