IETF Logo Mail Archive

Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Yuhong Bao <yuhongbao_386@hotmail.com> Wed, 11 February 2015 07:46 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8585F1A86F2 for <tls@ietfa.amsl.com>; Tue, 10 Feb 2015 23:46:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.239
X-Spam-Level:
X-Spam-Status: No, score=0.239 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z72CbcBq-4dn for <tls@ietfa.amsl.com>; Tue, 10 Feb 2015 23:46:53 -0800 (PST)
Received: from BLU004-OMC1S36.hotmail.com (blu004-omc1s36.hotmail.com [65.55.116.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD9F31A7113 for <tls@ietf.org>; Tue, 10 Feb 2015 23:46:53 -0800 (PST)
Received: from BLU177-W18 ([65.55.116.8]) by BLU004-OMC1S36.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 10 Feb 2015 23:46:53 -0800
X-TMN: [cnK0KVnWDfJZv4jge4ejDWAVeJc2w3e4]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W188D36F30C897CF00B0E03C3250@phx.gbl>
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Dave Garrett <davemgarrett@gmail.com>
Date: Tue, 10 Feb 2015 23:46:52 -0800
Importance: Normal
In-Reply-To: <D631F5FE-C56E-46D2-B17F-0216992C5D4C@gmail.com>
References: <201412221945.35644.davemgarrett@gmail.com>, <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com>, <201412240223.46107.davemgarrett@gmail.com>, <D631F5FE-C56E-46D2-B17F-0216992C5D4C@gmail.com>
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Feb 2015 07:46:53.0196 (UTC) FILETIME=[E6D3BCC0:01D045CE]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LqtytoYuJGhwD88CMJQLKgt_5sM>
Cc: "TLS@ietf.org tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 07:46:55 -0000

>> On Dec 24, 2014, at 9:23 AM, Dave Garrett <davemgarrett@gmail.com> wrote:
>>
>> On Wednesday, December 24, 2014 01:40:10 am you wrote:
>>>> There's no reason to maintain any backwards support here just for
>>>> Internet Explorer 2.0 on Windows 3.1.
>>>
>>> I’m not objecting to the change, but I am objecting to the hyperbole. The
>>> issue is with Internet Explorer 6 on Windows XP, which still exists, but
>>> more importantly, a lot of web service clients running on top of Windows
>>> XP use the same SCHANNEL library as IE would use, so they issue a SSLv2
>>> ClientHello. Despite Microsoft’s best efforts, there is still a
>>> substantial but diminishing install base of XP.
>>
>> I was not aware Microsoft used an SSL2 ClientHello for SSL3. Thanks for pointing
>> that out. Is it not capable of sending an SSL3/TLS Hello at all? If it were
>> properly configured to enable TLS1 and disable SSL2/3, would it send the proper
>> TLS compatible Hello? (Microsoft really should've pushed an XP update to flip
>> that switch years ago)
>
> Yes. From the control panel you clicked “Internet Options”, and that had a tab for security, but it wasn’t there. Instead, it was in the tab for advanced, which had a bunch of options, some related to security, but it was under “encryption”, not security. There were checkboxes for support of SSLv2, SSLv3, and TLS 1.0. By default the SSLv2 and SSLv3 checkboxes were checked, while the TLS 1.0 box was unchecked. To get rid of the SSLv2 ClientHello you had to uncheck the SSLv2. I don’t think the kind of people who still use Windows XP are the same ones who would go into the settings to disable SSLv2.
>
> I might have some of the details wrong. It’s been a few years since I last set Internet Options on a Windows XP box.

In fact, i think you can disable the SSLv2 ClientHello globally for all users of SChannel using the following reg key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"Enabled"=dword:00000000

v2.23.0 | Report a Bug | By Email