Re: [TLS] consensus on backwards compatibility changes

Kurt Roeckx <> Tue, 27 January 2015 00:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 678271A1A33 for <>; Mon, 26 Jan 2015 16:50:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q0z8BGw2M7HW for <>; Mon, 26 Jan 2015 16:50:32 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 711041A1A29 for <>; Mon, 26 Jan 2015 16:50:32 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id E6ECB1C213A; Tue, 27 Jan 2015 01:50:29 +0100 (CET)
Received: by (Postfix, from userid 1000) id C3C751FE0576; Tue, 27 Jan 2015 01:50:29 +0100 (CET)
Date: Tue, 27 Jan 2015 01:50:29 +0100
From: Kurt Roeckx <>
To: Dave Garrett <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Cc: " (" <>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Jan 2015 00:50:37 -0000

On Mon, Jan 26, 2015 at 06:31:36PM -0500, Dave Garrett wrote:
> > So you're saying that things that implement TLS 1.3 MUST NOT
> > support negiotating SSLv2?  If that it what you mean, please say
> > that instead.
> | Implementations MUST NOT send an SSL version 2.0 compatible CLIENT-HELLO.
> The first sentence is sufficient to prohibit negotiating SSL2 entirely. I've also cited RFC 6176.
> If you think this needs yet more, I guess I could stick a "and must not be negotiated"
> onto the two lines citing RFC/I-D prohibitions, if you think it needs to be more clear. I have
> nothing against adding redundancy here.

I guess if you really want you could go and put {3, 0} in the
record layer (so an SSLv3 client hello) and put {2, 0} in the
Client Hello.  In theory that should work if both support SSLv3
but for some reason want to talk SSLv2, but I doubt that it's
going to work in practice.  I also don't think that anybody is
going to do that.  I'm perfectly happy with that part of the
current text, and I did already interprete that as not allowing
the negiotation of SSLv2.

> With regard to this topic, please see the previous discussion on list. (the "drop obsolete
> SSL 2 backwards compatibility" thread) Implementers have specifically pushed back against
> dropping all SSL 2 stuff, in particular because they think it is valid to still negotiate TLS 1.2
> using an SSL version 2.0 client hello. I can understand why you'd have trouble
> understanding this; I do too. :/

I was part of that thread.  I think we need to support the SSLv2
client hello because their are still too many clients out there
that use it to set up TLS 1.0.  If you say we should drop TLS 1.0
support I'm happy to also drop the SSLv2 client hello support.

Anyway, I only had a problem understanding what you mean with:
| Implementations MUST NOT send or accept any records with a version less than { 3, 0 }.

So now I'm thinking that you're saying that you're not allowed to
use the SSLv3 record format and put SSLv2 in the record layer
version.  I'm not sure why you think anybody would do that or that
it's going to work, it's clearly not what you want to do in case
you want to send an SSLv2 compatible client hello.  But then
people might do all kinds of strange things and I doubt that will
stop them from doing it.