Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 July 2015 16:00 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26EA91A03A9 for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 09:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0Rq-xZgo3Hy for <tls@ietfa.amsl.com>; Thu, 23 Jul 2015 09:00:35 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 232A41A0195 for <tls@ietf.org>; Thu, 23 Jul 2015 09:00:35 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4F2C5284B53; Thu, 23 Jul 2015 16:00:34 +0000 (UTC)
Date: Thu, 23 Jul 2015 16:00:34 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150723160034.GV4347@mournblade.imrryr.org>
References: <201507221610.27729.davemgarrett@gmail.com> <1724827.ajpDBsKllU@pintsize.usersys.redhat.com> <201507231143.46288.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201507231143.46288.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cRxl_seq_UZIgQzR4OOnIF9PLfI>
Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 16:00:38 -0000
On Thu, Jul 23, 2015 at 11:43:45AM -0400, Dave Garrett wrote: > Right now, the restrictions section prohibits: > RC4, SSL2/3, & EXPORT/NULL entirely (via min bits) > and has "SHOULD" use TLS 1.3+ compatible with TLS 1.2, if available So much for using NULL ciphers for client-server authentication on loopback interfaces. :-( Surely, in at least some cases, making it harder to make mistakes needs to be addressed in toolkit and application interfaces, not the protocol. Removing weak algorithms that serve the same use-cases poorly is fine, but removing non-traditional use-cases is perhaps too drastic. > Plus, "MUST" use DHE or ECDHE for ALL connections, even back to TLS 1.0, > or abort with a fatal error. Who's going to police the Internet to remove all the legacy services? > By the way, even IE6 on XP supports DHE. But not Exchange server 2003, and various Windows-based email gateway appliances. > If we actually have to care about IE on > XP, we could state an exception that the only non-PFS cipher suite to be > permitted on servers for backwards compatibility is > TLS_RSA_WITH_3DES_EDE_CBC_SHA. Exchange 2003 has a broken 3DES implementation. The only working ciphersuites are RC4-SHA/RC4-MD5. And there are surely plenty of legacy system that are neither HTTPS or email. It sure sounds like the radical surgery is largely for HTTPS, and should be implemented in web servers and clients, not the TLS protocol. -- Viktor.
- [TLS] A la carte concerns from IETF 93 Dave Garrett
- Re: [TLS] A la carte concerns from IETF 93 Hubert Kario
- Re: [TLS] A la carte concerns from IETF 93 Ilari Liusvaara
- [TLS] ban more old crap (was: A la carte concerns… Dave Garrett
- Re: [TLS] ban more old crap (was: A la carte conc… Viktor Dukhovni
- Re: [TLS] ban more old crap (was: A la carte conc… Dave Garrett
- Re: [TLS] ban more old crap Stephen Farrell
- Re: [TLS] ban more old crap (was: A la carte conc… Yuhong Bao
- Re: [TLS] ban more old crap Eric Rescorla
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap (was: A la carte conc… Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Ilari Liusvaara
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Hubert Kario
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Yuhong Bao
- Re: [TLS] ban more old crap Ilari Liusvaara
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Salz, Rich
- Re: [TLS] ban more old crap Stephen Farrell
- Re: [TLS] ban more old crap Benjamin Beurdouche
- Re: [TLS] ban more old crap Eric Rescorla
- Re: [TLS] ban more old crap Martin Thomson
- Re: [TLS] ban more old crap Salz, Rich
- Re: [TLS] ban more old crap Martin Thomson
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Viktor Dukhovni
- Re: [TLS] ban more old crap Dave Garrett
- Re: [TLS] ban more old crap Viktor Dukhovni