Re: [TLS] prohibit <1.2 on clients (but allow servers) (was: prohibit <1.2 support on 1.3+ servers (but allow clients))

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 22 May 2015 12:31 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 675231AD0B9 for <tls@ietfa.amsl.com>; Fri, 22 May 2015 05:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.791
X-Spam-Level:
X-Spam-Status: No, score=0.791 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5NAROhebkNz for <tls@ietfa.amsl.com>; Fri, 22 May 2015 05:31:13 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 833FB1A8841 for <tls@ietf.org>; Fri, 22 May 2015 05:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1432297873; x=1463833873; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=oenYCDu9YUTpD18P8XLJaYMofoeLS4ybZ1uk1XJMPZI=; b=RgU5bawBKCpiDJEGpQ7PvBpANsjxEU4vK3O99Q2RBPDc2XtvVMPnP3S9 +9tpgfrA8sToXF0wZo/84ZFI4X3R8Zf1y3+FkiTBRv4d8XE7XHEeZtdE9 BLYeXUXfXuAOH10n7JZRJ1lZk/jFJEHGv3YMe4SqQY+W+2Z2Nd3nBuE6j Yxsdcv5ev45t0IXR9maIQjhChtLkrmVmJKV+ov8EBCAtK26zgdItWtUjR v/CbeLN5WMveWsm3PR+XdhJ7blry4j5qIjb63dNXodSeXkFxtUgwIxuYd 7B3ppfNeoCuKqqWG2YLcEyqww/x1N1nw48244nu7YFgNkKirnFlsnWuhX w==;
X-IronPort-AV: E=Sophos; i="5.13,475,1427713200"; d="scan'208,217"; a="17631896"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 23 May 2015 00:30:50 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sat, 23 May 2015 00:30:50 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>, Aaron Zauner <azet@azet.org>, "Dave Garrett" <davemgarrett@gmail.com>
Thread-Topic: [TLS] prohibit <1.2 on clients (but allow servers) (was: prohibit <1.2 support on 1.3+ servers (but allow clients))
Thread-Index: AQHQlE/GnDxRvcYJ+0+XbJbLEeqxK52H7UxQ
Date: Fri, 22 May 2015 12:30:49 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB029584@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <201505211210.43060.davemgarrett@gmail.com>, <20150522025214.GA21141@typhoon.azet.org>, <CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com>, <201505212304.11513.davemgarrett@gmail.com>, <20150522032029.GA24064@typhoon.azet.org>, <BAY180-W75D5FCD1F9DD4B5C4A729BFFC00@phx.gbl>
In-Reply-To: <BAY180-W75D5FCD1F9DD4B5C4A729BFFC00@phx.gbl>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: multipart/alternative; boundary="_000_9A043F3CF02CD34C8E74AC1594475C73AB029584uxcn10tdc05UoAa_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XmE1-t0LBtJDhJ4fTLtkQVwY4XY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 on clients (but allow servers) (was: prohibit <1.2 support on 1.3+ servers (but allow clients))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 12:31:18 -0000

Xiaoyin Liu <xiaoyin.l@outlook.com>; writes:

>The simple reason is that we should allow normal users to gradually upgrade
>their old browsers/operating systems, but should encourage (or require)
>webmasters to upgrade their servers as soon as possible in order to protect
>their users' security and privacy.

This comment again shows the rather myopic browser-centered view of TLS that
I've complained about in the past.  For most of the users of TLS that I work
with, there is no browser, no OS upgrade, and no web.  TLS is used for
machine-to-machine communications, with no human intervention.  You know the
PLC I used as an example in an earlier message, the one that rejects any
attempt at connecting with a version number set to greater than TLS 1.0?  The
"upgrade" procedure for that is to replace it when the hardware dies, with a
minimum (minimum, not maximum) lifetime of around ten years (I've seen
refridgerator-sized PLCs dating from the 1960s still in active use today, but
that's because they're practically indestructible compared to modern
versions).

So if some sort of BCP is published, it should explicitly target browsers and
web servers where this kind of upgrade/change is possible.  Telling people to
throw away their PLCs and replace them with new ones isn't going to fly.

Peter.