IETF Logo Mail Archive

Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft

Hauke Mehrtens <hauke@hauke-m.de> Sun, 28 December 2014 14:43 UTC

Return-Path: <hauke@hauke-m.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DAB91AD48F for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 06:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.562
X-Spam-Level:
X-Spam-Status: No, score=-1.562 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fR9zr_wT2h4Y for <tls@ietfa.amsl.com>; Sun, 28 Dec 2014 06:43:44 -0800 (PST)
Received: from hauke-m.de (hauke-m.de [IPv6:2001:41d0:8:b27b::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCA611A6FDB for <tls@ietf.org>; Sun, 28 Dec 2014 06:43:44 -0800 (PST)
Received: from [IPv6:2001:67c:20a1:1192:224:d7ff:fe5f:d4e4] (unknown [IPv6:2001:67c:20a1:1192:224:d7ff:fe5f:d4e4]) by hauke-m.de (Postfix) with ESMTPSA id 212EC2016F; Sun, 28 Dec 2014 15:43:42 +0100 (CET)
Message-ID: <54A0171D.9070504@hauke-m.de>
Date: Sun, 28 Dec 2014 15:43:41 +0100
From: Hauke Mehrtens <hauke@hauke-m.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Dave Garrett <davemgarrett@gmail.com>
References: <201412221945.35644.davemgarrett@gmail.com> <F07340BA-F182-470C-AF90-C85A973075B9@gmail.com> <549F2D90.5030305@hauke-m.de> <201412271739.24476.davemgarrett@gmail.com> <38DB9255-0F1B-40BC-A36B-D0241BE65E40@gmail.com>
In-Reply-To: <38DB9255-0F1B-40BC-A36B-D0241BE65E40@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kWQVMeayS-QilbR3AFTYLPVy6H4
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Dec 2014 14:43:46 -0000

Hi,

as even OpenSSL 0.9.8 sends such ClientHellos in the default settings, I
think TLS 1.3 should support the following:

1. TLS 1.3 Clients must only negotiate TLS 1.0 or up. I think with the
Poodle attack most servers and clients already deactivated SSL v3
support. This is draft-ietf-tls-sslv3-diediedie-00.
2. A TLS 1.3 Client most not send a SSL v2 or SSL v3 ClientHello. This
is draft-ietf-tls-sslv3-diediedie-00.
2. A TLS 1.3 server may or should accept a SSL V2 and V3 compatible
ClientHello, but not negotiate these protocol versions.

I think for compatibility reasons most implementors would like to stay
compatible with old ClientHellos, but I think the RFC should not mandate
this. In 10 years TLS servers implementors are probably save to remove
support for this old OpenSSL version, Java 6 and probably more stuff.
This should be an implementors decision how long they want to stay
backwards compatible with old software as long as this does not have
negative implications on security.

Hauke

On 12/27/2014 11:54 PM, Yoav Nir wrote:
> Hi, Dave
> 
> I see a "should" from Hauke and a "should not" from you. But using RFC 2119 words like “MUST NOT” in the spec could mean one of the following things:
>  1, That an SSLv2 ClientHello with version equal to whatever we choose for TLS 1.3 (0x03,0x04?) must be rejected and the connection closed.
>  2. That any TLS 1.3 implementation MUST remove support for SSLv2 ClientHellos.
>  3. That it is no longer prudent to even perform handshakes with clients that still offer SSLv2. In this case SSLv2 support is used as a proxy for insecure peer.
> 
> In your message you said “should not”. Why do you think we need to mandate dropping this support from existing products?
> 
> Yoav
> 
> 
>> On Dec 28, 2014, at 12:39 AM, Dave Garrett <davemgarrett@gmail.com> wrote:
>>
>> On Saturday, December 27, 2014 05:07:12 pm Hauke Mehrtens wrote:
>>> On 12/24/2014 07:40 AM, Yoav Nir wrote:
>>>> It’s fine for us to break compatibility with these clients, but let’s not
>>>> pretend it’s some ancient technology that doesn’t exist in the market
>>>> anymore.
>>>
>>> In addition the Oracle Java Runtime Environment in Version 6 uses a SSL
>>> v2 compatible ClientHello in the default settings. It supports SSL v3
>>> and TLS 1.0. In Java JRE 7 a SSLv3 ClientHello is used by default.
>>>
>>> I think a TLS 1.3 Client must not send a SSLv2 ClientHello, but a server
>>> should understand it.
>>
>> The newest version of TLS should not be have to be written to accommodate an 8 
>> year old EOL Java version's default settings.
>>
>>
>> Dave
>

v2.23.0 | Report a Bug | By Email