Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Jeffrey Walton <noloader@gmail.com> Thu, 21 May 2015 19:22 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C87B81A8912 for <tls@ietfa.amsl.com>; Thu, 21 May 2015 12:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_kNL6GBADQc for <tls@ietfa.amsl.com>; Thu, 21 May 2015 12:22:57 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A6D41A8903 for <tls@ietf.org>; Thu, 21 May 2015 12:22:57 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so18360575igb.1 for <tls@ietf.org>; Thu, 21 May 2015 12:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=dB+dxpnxzJfzsUHhygWOt7nOH2Bp39uE7jLSaEPnz0o=; b=M2WSvmu4Ox3wTR7pV0Jr5K2C/rNKHYJ+4oD2sQ2+JMHosC0btI2oNeh+YtIF+srXAZ f2LWCk04iPlCEjei3mLFw2DkROVHQ2BsNHg0aJ1uOBKvh6m2y3jQReyM+ELg9o4+9qdm INr+Kke6NQ89l9J/i2iGE1VSAAU8Vqc11d7ALgMDKSpqZddaXn2X6JKwVzJzcNCFutFv QhZFcK4l4XKSjKqF9OjirFeYPSHINBhMtGGDTEp0Uarq61DeR1QR3V7/QCgD4YLH4XOL R4D7Up9KCOS387dBHL1dWo/fkYuUaTy6rdzH2E1Rx+/d0QhphLvsvehZ4WWbV8F7ke2Z qa/Q==
MIME-Version: 1.0
X-Received: by 10.107.40.144 with SMTP id o138mr5602314ioo.66.1432236176689; Thu, 21 May 2015 12:22:56 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Thu, 21 May 2015 12:22:56 -0700 (PDT)
In-Reply-To: <201505211210.43060.davemgarrett@gmail.com>
References: <201505211210.43060.davemgarrett@gmail.com>
Date: Thu, 21 May 2015 15:22:56 -0400
Message-ID: <CAH8yC8n6WieA5nv1fwdAuw+zdMdE68VfOW_j=m3wPuwra88Erw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dzWmGdrO4A8ECmvI5qvJbw01r3g>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 19:22:58 -0000

On Thu, May 21, 2015 at 12:10 PM, Dave Garrett <davemgarrett@gmail.com>; wrote:
> I was going to hold off on suggesting this due to other topics dominating the list, but we might be in a kill-the-old-junk mood due to the latest old-junk vulnerability, so...
>
> Old versions of TLS need to be phased out at some point (even the one we're designing now), however the current modus operandi is generally to wait until a catastrophic breakage forces everyone into a panic disable. I'd like to at least try to do better prior to the next time. I'd like to propose giving servers & clients different expectations as a transitional measure:
>
> 1) No general change to current TLS other than pointing to the UTA BCP from time to time.
> https://tools.ietf.org/html/rfc7525
>
> 2) For TLS 1.3, add a blurb to the effect of:
> "Server TLS implementations supporting TLS 1.3 or later MUST NOT negotiate TLS 1.0 or TLS 1.1 for any reason.
> Client TLS implementations are RECOMMENDED to not support old TLS versions, where possible."
>
Now might be a good time to add a (3) for TLS 1.3: have a client
specify both the least TLS version they are willing to use, and the
greatest TLS they desire to use. And MAC or derive from it it so it
can't be tampered or downgraded.

You can still provide the the TLS record layer version, and you can
keep it un-MAC'd so it can be tampered with to cause a disclosure or
crash :)

Effectively, that's how the versions in the record layer and client
protocol are being used. It stops those silly dances the browsers and
other user agents perform without the need for TLS Fallback SCSV.

Jeff