Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
Aaron Zauner <azet@azet.org> Fri, 22 May 2015 03:20 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id AEF1C1A909C
for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id zhWfQsnsvyOn for <tls@ietfa.amsl.com>;
Thu, 21 May 2015 20:20:31 -0700 (PDT)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BCE0A1A9096
for <tls@ietf.org>; Thu, 21 May 2015 20:20:30 -0700 (PDT)
Received: by wgfl8 with SMTP id l8so5263376wgf.2
for <tls@ietf.org>; Thu, 21 May 2015 20:20:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:date:from:to:cc:subject:message-id:references
:mime-version:content-type:content-disposition:in-reply-to
:user-agent;
bh=X3qsWGwns2Hy3/OxvcISwA0/F/USBU9RncujUOqx2M4=;
b=lO5b6XPjgZrAwcuN23MdbrZI4c/EDh5y4fIKGphdxvUer8aKRH4DGwbfrADrDp3eLG
QWHJd8AyFqldb/kHYa/rn3KKKPvbvjFdcaKUlQx8EquGh1WvExeTU/FwJGFE6BhrLsRU
HnF2JSAwUDm64+eUGqZhewNs0gf8SoCaRVPYmilg3/tZ1a5KvLA7CtS33ol3Ip8SQYQJ
vb0lRIRz0hYrXeiXSlBHyjmaSNmlfb8Yid2C3xvAZrKIqpE4EvUd3MolIJSIBT4Lq4XS
S09IyG7D+ZkjW9fYHy/WLMXM+whIMegc1lye0zSPJNVMTufhyUWng+JZhMW+x+MMEQ7z
fkPw==
X-Gm-Message-State: ALoCoQkoBoxO6unv9w0Wgs2Xeomzg3yd5cS1RWJf0N5GMcem/QiyzZMQNDcMTkbMFjPr825KJTFx
X-Received: by 10.180.83.40 with SMTP id n8mr3138590wiy.57.1432264829508;
Thu, 21 May 2015 20:20:29 -0700 (PDT)
Received: from typhoon.azet.org (chello080108032135.14.11.univie.teleweb.at.
[80.108.32.135])
by mx.google.com with ESMTPSA id b2sm1034399wje.40.2015.05.21.20.20.28
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 21 May 2015 20:20:28 -0700 (PDT)
Date: Fri, 22 May 2015 05:20:30 +0200
From: Aaron Zauner <azet@azet.org>
To: Dave Garrett <davemgarrett@gmail.com>
Message-ID: <20150522032029.GA24064@typhoon.azet.org>
References: <201505211210.43060.davemgarrett@gmail.com>
<20150522025214.GA21141@typhoon.azet.org>
<CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com>
<201505212304.11513.davemgarrett@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline
In-Reply-To: <201505212304.11513.davemgarrett@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/cxqwdv4DAmJN3s73M96OdS4En0g>
Cc: tls@ietf.org
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 03:20:32 -0000
* Dave Garrett <davemgarrett@gmail.com> [22/05/2015 05:04:13] wrote: > That said, the RC4 diediedie is getting largely ignored. To actually kill something like this off, it seems to need to be done as a panic response or as a requirement of something new that everyone starts together. (e.g. SSL3 diediedie or old TLS with HTTP/2) Thus was my reasoning for at least attempting to suggest it here. :| I don't have that impression at all. The RC4 and SSLv3 deprecation documents even got (some) media attention, which is quite rare for IETF documents. Same with the UTA BCP on TLS and attacks. As suggested in the starting post this would effectively mean that an implementation that does support 1.3 MUST NOT support anything lower than that. Which -- of course -- means you're locking users out that only have poor/bad crypto at hand. Somewhat refering to the opportunistic debate; it's again bad crypto vs. no crypto at all. :/ Aaron
- [TLS] prohibit <1.2 support on 1.3+ servers (but … Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Loganaden Velvindron
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Thijs van Dijk
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Kurt Roeckx
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yuhong Bao
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Watson Ladd
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Yoav Nir
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Aaron Zauner
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Thomson
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Martin Rex
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Hubert Kario
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Xiaoyin Liu
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Salz, Rich
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Ronald del Rosario
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Dave Garrett
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoffrey Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Tony Arcieri
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Bill Frantz
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Peter Gutmann
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Geoff Keating
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Jeffrey Walton
- Re: [TLS] prohibit <1.2 support on 1.3+ servers (… Florian Weimer
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Yuhong Bao
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Martin Thomson
- Re: [TLS] prohibit <1.2 on clients (but allow ser… Salz, Rich