Re: [TLS] TLS1.2 vs TLS1.0
Hanno Böck <hanno@hboeck.de> Tue, 21 May 2013 08:27 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1012521F969F for <tls@ietfa.amsl.com>; Tue, 21 May 2013 01:27:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_34=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1Mgd1l8fB0w for <tls@ietfa.amsl.com>; Tue, 21 May 2013 01:26:56 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) by ietfa.amsl.com (Postfix) with ESMTP id 2315121F97B2 for <tls@ietf.org>; Tue, 21 May 2013 01:26:55 -0700 (PDT)
Received: from melee (91-64-53-146-dynip.superkabel.de [::ffff:91.64.53.146]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 128bits, AES128-SHA) by zucker.schokokeks.org with ESMTPSA; Tue, 21 May 2013 10:26:54 +0200 id 0000000000000090.00000000519B2FCE.00004E7F
Date: Tue, 21 May 2013 10:26:47 +0200
From: Hanno Böck <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20130521102647.402e695e@melee>
In-Reply-To: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com>
References: <CAK=bVC8EZCCpG4+kzYUk+i5a_=Nh4AEGkuFJEC45cBSLLdnoTg@mail.gmail.com>
X-Mailer: Claws Mail 3.9.1 (GTK+ 2.24.18; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="PGP-SHA256"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-20095-1369124814-0001-2"
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2013 08:27:01 -0000
On Mon, 20 May 2013 13:47:08 -0700 Ulrich Herberg <ulrich@herberg.name> wrote: > I am participating in another SDO on a standard for automated Demand > Response, called OpenADR (www.openadr.org), an application for the > smart grid. The application is basically a web service, exchanging XML > over HTTP over public networks, and using TLS (with RSA and ECDSA / > SHA1 ciphers for TLS 1.0 and SHA2 for TLS1.2). Currently, the draft > allows for TLS1.0 and 1.1, but recommends using 1.2 (and requires > vendors to provide a migration plan in case TLS1.0 is obsoleted) . > TLS1.0 and 1.1 RFCs have been obsoleted by the IETF; but I am not sure > about the best current practice. Is it absolutely discouraged to use > them? The argument in the OpenADR alliance is that many libraries and > programming languages do not support TLS1.2, so they recommend to > start the handshake with 1.2 and then downgrade - if required - to > 1.0. I read that NIST disallows SHA1 after 2013; which would also > affect TLS1.0, which does not support SHA2. > > What would be your recommendation in this case? Mandate TLS1.2 and > disallow TLS1.0? Or just strongly recommend ("SHOULD") to use TLS1.2 > and SHA2 ciphers, and otherwise to use TLS1.0? The biggest security issue with TLS 1.0/1.1 is less the use of sha1 and more the use of CBC+hmac in a very wacky combination. From what I'm aware, the use of SHA1 in HMAC shouldn't affect its security. Still it's a good idea to avoid sha1 - it just isn't the most pressing security issue. You should definitely require TLS 1.2 and avoid CBC-ciphersuites if possible if you want high security. The AEAD-ciphersuites (i.e. everything with AES-GCM) in TLS 1.2 are the thing you want to use. The issue with libraries not supporting TLS 1.2 isn't as severe as it may seem. OpenSSL supports TLS 1.2 since a while, GnuTLS also does, the MS-provided ssl libs since Windows 7 as well. nss has no support yet, but there are experimental patches and it's expected to come quite soon. So unless you have a very strong need to use outdated versions of crypto libraries (which is generally not a good idea), it shouldn't be much of an issue. cu, -- Hanno Böck mail/jabber: hanno@hboeck.de GPG: BBB51E42 http://www.hboeck.de/
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson