Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
Dave Garrett <davemgarrett@gmail.com> Mon, 29 December 2014 20:28 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2883D1AC3EF for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 12:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yf7IglM2VOzH for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 12:28:15 -0800 (PST)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 943521A8AD7 for <tls@ietf.org>; Mon, 29 Dec 2014 12:28:15 -0800 (PST)
Received: by mail-qg0-f42.google.com with SMTP id q108so9892876qgd.1 for <tls@ietf.org>; Mon, 29 Dec 2014 12:28:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=HN4/1Wr/VVwGVdCHovPtEF7H746m+IfYfvrZ+bSklGI=; b=Y8skp1QFA0USg/10M1s4bS/6P2dbdIiMbKxp03MC9RyeFV3XMRgEWIoeVQoBmfwMHS 7pjJlJDgWoFLY2IzhQvUFYNs9l7tZ0U8SneHdQGY9x162LhpsNSJKiWN1ICtBviyzPlC O5JVVoodJoXEc4QW29KKci+zTNU3/CFThvAotFms8wGqzHmUcm9lOyUrLtBqppD7u7qC mMn4mhGV9ZsCXpUorXSdCGltkeK5CJOkzp3JN2gIt/boLyluO9T80j+EZFTRtw82hgjL ONBhSTh4b9JZmETw/BeV3wY0DMq21xiW6mi8QgccWHO3B4j/+MpFoQN+Q7Hyvjh16lia 7vqg==
X-Received: by 10.224.131.4 with SMTP id v4mr92150913qas.99.1419884894742; Mon, 29 Dec 2014 12:28:14 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id b1sm15768493qac.34.2014.12.29.12.28.14 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 29 Dec 2014 12:28:14 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: mrex@sap.com
Date: Mon, 29 Dec 2014 15:28:11 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <20141229192657.A288B1B0B6@ld9781.wdf.sap.corp>
In-Reply-To: <20141229192657.A288B1B0B6@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201412291528.11915.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_NeeEE3dgPff60Nha9VvZEfsTA4
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 20:28:18 -0000
On Monday, December 29, 2014 02:26:57 pm Martin Rex wrote: > Server-side usage will be significantly adversely affected by a silly > MUST NOT accept TLSv1.2 offered in SSL Version 2.0 CLIENT-HELLO This is a semantical disagreement. The server will continue to work fine, just dropping v2 connection attempts. It's the client sending the v2 hello that will be disaffected. (it could be phrased from either perspective; the client initiates the connection, so I significantly prefer this one) > o TLS servers MAY continue to accept ClientHello messages in the > version 2 CLIENT-HELLO format as specified in RFC 5246 [TLS1.2], > Appendix E.2. Yes, in 2011 optional backwards compatibility was left in place. In 2015 I'm saying that it shouldn't be expected anymore. (or let's be realistic, 2016, when the slow to update get around to considering this) > A SSL Version 2.0 CLIENT-HELLO offering TLSv1.2 is perfectly sufficient > to negotiate the mandatory-to-implement TLSv1.2 TLS cipher suite: > > https://tools.ietf.org/html/rfc5246#section-9 Wrong reference? That's just the MTI cipher. SSL2 compatibility in TLS 1.2 is here: https://tools.ietf.org/html/rfc5246#appendix-E.2 What it does say is: "However, even TLS servers that do not support SSL 2.0 MAY accept version 2.0 CLIENT-HELLO messages." It's only sufficient if the server is willing to do so. It's not to be expected. This is a "MAY" and not a "SHOULD". Clients MUST send v2 to connect to SSL2 servers, but that's it. It is important to remember, however, that this section is not a valid reference as-is. RFC 6176 amends it. https://tools.ietf.org/html/rfc6176 > > "TLS clients MUST NOT send the SSL version 2.0 compatible CLIENT- > > HELLO message format" > > This applies only to *NEW* clients. Please cite to me where it says that RFC 6176 only applies to new clients. (is there actually some other reference I'm missing that says that? that's certainly possible) It simply says: "Updates: 2246, 4346, 5246" & "This document updates the backward compatibility sections found in the Transport Layer Security (TLS)." Thus, anything that implements any of the updated TLS 1.x RFCs is expected to implement this amendment in full. If there's some policy I'm missing here, please do point it out. However, I'm under the impression that this is fairly unambiguous and SSL2 is not to be considered acceptable anywhere. This does not seem like a controversial position to take in 2015. > > With both SSL2 & SSL3 prohibited, there should be no v2 hellos. > > But there still are plenty of them around in the installed base. > > > Put bluntly, any environment that actually HAS v2 hellos is already > > ignoring IETF RFCs. > > Behaviour of the installed base is well known to be unaffected by documents > published by the IETF (or any other organization, or government). I certainly can't disagree with that. I can disagree that it should be the overriding force in deciding what to do next. ----- Let me sum things up this way. There are two categories here: A) Obsolete implementations that are insecure and supported by nobody. B) Obsolete implementations that are at least maintained by some group. Category B is the enterprise situation. Their IT & the software they use maintains this old stuff in some way. Disabling SSL2 & SSL3 is not an unreasonable expectation for continued maintenance if their desire is to switch servers over to TLS 1.3 capability. If they don't want to adopt TLS 1.3 servers yet, they are not affected until they do. TLS 1.3 clients would only fail to connect to SSL only servers. Complying with intervening RFCs is simply a requirement to implement the new RFC. Category A is forsaken. There is no expectation of a secure connection with those clients. Dragging along backwards compatibility forever for them would be irresponsible. If they break, they will have to be replaced with something that continues to work. If this was half the population of the Internet, then yeah, we'd have to pathetically work around them, but that is not the case. Modern clients are fine here and have more than enough widespread use. If IE6 breaks, nobody can argue in good conscience that TLS 1.3 should be modified to accommodate that. And again, it is entirely possible to click a few checkboxes in its security options to fix the issue. (IE has generally had decent configurability here) I don't know about you, but I'd like to see a world where the only pages old versions of IE can connect to are ones that let you download a new browser or at least upgrade its security slightly. Is there some specific real-world case this opposition is coming from? An argument to defend a specific widely used client, with justification for its continued use, would be far more persuasive. Simply "ahh, but Java 6" doesn't feel like a particularly useful argument when Java 7 & 8 are long since available. Give me significant hard numbers and I'll certainly change my opinion to a "SHOULD NOT" rather than a "MUST NOT" for all but pure TLS 1.3 connections. (the idea that TLS 1.3 should be negotiatable via an SSL2 hello is insane) Dave
- [TLS] drop obsolete SSL 2 backwards compatibility… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- [TLS] explicitly specify ClientHello record versi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Jeffrey Walton
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Fabrice
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Watson Ladd
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Thomson
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Peter Gutmann
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Daniel Kahn Gillmor
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Andrei Popov
- [TLS] Downgrade Dance steps (Re: drop obsolete SS… Martin Rex
- Re: [TLS] Downgrade Dance steps (Re: drop obsolet… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao