Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Loganaden Velvindron <> Thu, 21 May 2015 16:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C964A1A8953 for <>; Thu, 21 May 2015 09:45:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x9BW0e_USoBo for <>; Thu, 21 May 2015 09:45:26 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2EA5E1A893F for <>; Thu, 21 May 2015 09:45:26 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so15133712igb.0 for <>; Thu, 21 May 2015 09:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Ta86wAgmcvG7SVbTtmsPDoTY77BHmG05EO7XS6KCxYM=; b=i98giNwvK3C4YDf/YrjLkESxu0ya47HkE7q2TjyQ9/clmvigtOxbaKoejg7rkeOQu8 GLdzy8k1Bhbj1BbS52b/tff/Ee9hETNAMZxjnMnY0Xqs5/t52mUU4WTKbiz7FZxEitUP WZZWf3K9BP5IHHa5/BurgRMFIFEBndpeKlul9y5rwnSZweKVutglF+1XQiTtdum6eilh 6pp8tX7Qo2Q0tBeCvgRzM1hIrHCPIRAePV2AlPLbzY49VIwnpE1KgypKMb0Cz/myutxu Ui1CwROWz/qRo1sqKbEVXk6xJlX2iH7hQttOvu8rFwt1yw+d/O735UiWMVD5QIbBCuXF 0/yQ==
MIME-Version: 1.0
X-Received: by with SMTP id p4mr5269988iga.4.1432226725554; Thu, 21 May 2015 09:45:25 -0700 (PDT)
Received: by with HTTP; Thu, 21 May 2015 09:45:25 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 21 May 2015 16:45:25 +0000
Message-ID: <>
From: Loganaden Velvindron <>
To: Dave Garrett <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2015 16:45:28 -0000

On Thu, May 21, 2015 at 4:10 PM, Dave Garrett <> wrote:
> I was going to hold off on suggesting this due to other topics dominating the list, but we might be in a kill-the-old-junk mood due to the latest old-junk vulnerability, so...
> Old versions of TLS need to be phased out at some point (even the one we're designing now), however the current modus operandi is generally to wait until a catastrophic breakage forces everyone into a panic disable. I'd like to at least try to do better prior to the next time. I'd like to propose giving servers & clients different expectations as a transitional measure:
> 1) No general change to current TLS other than pointing to the UTA BCP from time to time.
> 2) For TLS 1.3, add a blurb to the effect of:
> "Server TLS implementations supporting TLS 1.3 or later MUST NOT negotiate TLS 1.0 or TLS 1.1 for any reason.
> Client TLS implementations are RECOMMENDED to not support old TLS versions, where possible."

In Implementations like OpenBSD, this is already happening. For
example. libtls supports 1.2 by default.

> The reasoning here is that major server updates are unfortunately uncommon, but client updates are routine. Server implementations get updated, but deployments don't/can't keep up. There are no legitimate clients that do not support TLS 1.2, and even plenty of old ones can support it if actually enabled (and those vendors should get their act together and push updates to flip that on for all old versions, regardless of EOL status). The current strategy is basically to support everything forever and that has been shown to be quite detrimental, especially over the past year.
> Note that this is not just about dropping support for versions X & Y. It's about giving implementations a chance to drop all the baggage that comes with those old versions and focus only on reasonably modern standards instead.
> For those that would disagree with mandating servers drop support for the protocol from 1999, I think it's reasonable to just require you to have to ignore the RFCs if you really want to keep doing this sort of thing in 2015. Everyone else should have servers that have at least vaguely reasonable minimum standards out-of-the-box. Allowing obsolete security to be considered legitimate is a public hazard, and I don't want to wait around for more exploits to deal with it. Security is only as strong as the weakest link; we need to start baking this into new specifications
> Dave
> PS
> I am aware some vendors irresponsibly abandoned lots of mobile users on obsolete OS versions. They should be treated like WinXP+IE6: useless until you download a better browser yourself. If that's not possible, complain to the hardware vendor that didn't provide updates.

With Android One label, Things are slightly less worse now.

> _______________________________________________
> TLS mailing list