Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
Dave Garrett <davemgarrett@gmail.com> Mon, 29 December 2014 19:08 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F8EC1A9077 for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 11:08:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBBFiMVUrTWo for <tls@ietfa.amsl.com>; Mon, 29 Dec 2014 11:08:28 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7879C1A904C for <tls@ietf.org>; Mon, 29 Dec 2014 11:08:28 -0800 (PST)
Received: by mail-qg0-f52.google.com with SMTP id a108so9527857qge.39 for <tls@ietf.org>; Mon, 29 Dec 2014 11:08:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=Jv+LzE2pisNaV0Q3+SE/wc8JILatbuXGAyF0XegL3+A=; b=EyMDNQcwz8DEVX34gA+DMM7UGw92fu+4JHObURBJ0dlrAbshAmiGB3g6hGt9PeblOg /CbGEGF6wYgQUBcVzpxUZjyT9zslt8oCUKbG/FLiq24exR1u7Q/DVYNjZywR6G155q2S +xnlS//v7Yo5EjY8HVo1kI+0GdSUNkg8MGNThclr7Ny/eYo8fPnS69Ul91camyec710L 4jHT2xfnoV32v3cSpv/frM1TDDae6jD0gogk2F/bsc4IdFxUe1cdMc6dIMhDPJtLkQlH /Bcn3oIQpWEWlr73zj+IVTE2HSk9dyWbAkP4+xPKK3REKWLpsWbUXOceJdgXR7YmD6UZ CSLg==
X-Received: by 10.229.24.6 with SMTP id t6mr15777380qcb.17.1419880107556; Mon, 29 Dec 2014 11:08:27 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id r16sm34196671qay.10.2014.12.29.11.08.27 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 29 Dec 2014 11:08:27 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: mrex@sap.com
Date: Mon, 29 Dec 2014 14:08:23 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <20141229115843.258CD1B0B4@ld9781.wdf.sap.corp>
In-Reply-To: <20141229115843.258CD1B0B4@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201412291408.24237.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/r3zB5mBYe4GStG8qQtFgAsQRQOM
X-Mailman-Approved-At: Tue, 30 Dec 2014 08:55:59 -0800
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] drop obsolete SSL 2 backwards compatibility from TLS 1.3 draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 19:08:30 -0000
On Monday, December 29, 2014 06:58:43 am Martin Rex wrote: > JDK 1.6 might be past its "End of Public Updates", but it is still > fully supported and pretty omnipresent, in particular in company > environments and the majority of server-side (J2EE) installations. Server-side usage would not be affected by the proposed changes. TLS 1.3 clients would be sending v3 hellos which would be read just fine. Server and client usage in company environments are where it is easiest to deal with the proposed changes. The clients' settings just need to be changed to stop using SSL entirely and send only v3 hellos. I'll restate again, this is already the consensus. (again, assuming no surprises with the SSL3 I-D) http://tools.ietf.org/html/rfc6176 http://tools.ietf.org/html/draft-ietf-tls-sslv3-diediedie-00 To directly quote RFC 6176 (2011): "TLS clients MUST NOT send the SSL version 2.0 compatible CLIENT- HELLO message format" With both SSL2 & SSL3 prohibited, there should be no v2 hellos. Put bluntly, any environment that actually HAS v2 hellos is already ignoring IETF RFCs. They will potentially ignore the proposed change for this RFC. They cannot be the basis for decisions on what gets into new RFCs. Dave
- [TLS] drop obsolete SSL 2 backwards compatibility… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- [TLS] explicitly specify ClientHello record versi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Jeffrey Walton
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Fabrice
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Watson Ladd
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Thomson
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Peter Gutmann
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Daniel Kahn Gillmor
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Andrei Popov
- [TLS] Downgrade Dance steps (Re: drop obsolete SS… Martin Rex
- Re: [TLS] Downgrade Dance steps (Re: drop obsolet… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao