Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 16 October 2019 13:40 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0D5120108; Wed, 16 Oct 2019 06:40:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=dU21wJib; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=u2QCBJVt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8BWV_inwGqD; Wed, 16 Oct 2019 06:40:44 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20047.outbound.protection.outlook.com [40.107.2.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CACF9120103; Wed, 16 Oct 2019 06:40:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R0tnCGmANZf3GrIqw0BDtJZTpNRpZ8EisQcJTBDQ+Rk=; b=dU21wJib1sr2CzbnnlqTF8/TXg2BNHBjBLvq2kT3psdAzp24d+ewRtZQFH0y6mIi7kd4OG0w5r4oZ7uHJjdEfBvVUnY0DBH/zmhRn2O2+mmkAgnQSqIffuRfIx2VFTKPXKv0dyiwYGNxozVhZHN0hqr88yM2SU8NhT+rlflHjEs=
Received: from VE1PR08CA0022.eurprd08.prod.outlook.com (2603:10a6:803:104::35) by AM6PR08MB3989.eurprd08.prod.outlook.com (2603:10a6:20b:b0::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Wed, 16 Oct 2019 13:40:37 +0000
Received: from DB5EUR03FT059.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::209) by VE1PR08CA0022.outlook.office365.com (2603:10a6:803:104::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Wed, 16 Oct 2019 13:40:37 +0000
Authentication-Results: spf=fail (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: Fail (protection.outlook.com: domain of arm.com does not designate 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT059.mail.protection.outlook.com (10.152.21.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Wed, 16 Oct 2019 13:40:36 +0000
Received: ("Tessian outbound 6481c7fa5a3c:v33"); Wed, 16 Oct 2019 13:40:34 +0000
X-CR-MTA-TID: 64aa7808
Received: from 55f405c3df37.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.12.59]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 389183F3-6152-406E-AA60-99060F22B9F3.1; Wed, 16 Oct 2019 13:40:29 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2059.outbound.protection.outlook.com [104.47.12.59]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 55f405c3df37.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 16 Oct 2019 13:40:29 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PqiMFFTY//nsfVJpHW4bTPRaLIV35Tn5ySXagEmUUKKGn71ushMx7jBxph7N1feQq0tnFRwi7wEC3AGzq4ngIkbdrZ9Y2xyXfSATSts7U9kckwxpiQ34bHRygZ0FHPjZzmAUGXTS9BUqLzFzlB0eMoEPubW9wwRzFbLm6AaG9btG/xXDvOZzp3VmZn4Z86nnS7OI0yl3vU6OywwNX2FgOcUnfdzUSktP8IynnUDuIauvLfe1xLUb7zGaJxxKlmQCDh2LwLbj48/BMr/XKlnGIFOlbvoBlP8rfi6LvQTn+iAU9j1ENpzk8DgH2gPb+hPjRoq/0NYn6XewV69t/E1F3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cR5N/Bq366amcpSju8DCspeN2eGyC9NqxzjgEZyxRHc=; b=PTdIQ8bAlejF3BTV6TCryX6n7qI9s3ozetvKpLTW6QGpWeOX9Sbl9+SnABag+anHoh/rNfZ1rPcdjNmrvevIzpNbzIkCnuluYIH/bsxEP6qJJSJBP1VHubLDvCyEIPPBB74/FL9gWswLQ/x8QYMIFfRNU3CaPIGLtce3NQOuWYRaXtjkQYMndpG5ORx/OE7llPG2UwxSENaA2/BVrCQPQob3qBpuHYVLo1nz6scFiw+q0nR5U2bIaLbpkCUC94t2QQ0JGQwFNn/4AIRZ24yLQ/g4rLuyzeorJloc7ZhcmPRe8f7dNlt0cYYKW5NB50kP85viVczu0nlVzsfXrDj8/g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cR5N/Bq366amcpSju8DCspeN2eGyC9NqxzjgEZyxRHc=; b=u2QCBJVtobTNozvJq82OU8Z7mnGmLEQob9AL5BrgbP7xzvSIY9Cx1KbXETblLae082ZZqpUbgV9z9fDTSCA/1em3IRHj455zWOnc7LhtEjN1N0vdWx3M/02vyn+LUbcqjJ1jsIMat9aAoqJfoYETTccnmSRgAKUsk9/oXT4liMo=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB3870.eurprd08.prod.outlook.com (20.178.80.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.17; Wed, 16 Oct 2019 13:40:27 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::b003:8767:35c7:e31%2]) with mapi id 15.20.2347.023; Wed, 16 Oct 2019 13:40:27 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "TLS@ietf.org" <TLS@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
Thread-Index: AQHVe2jJg2f9VjEFuEec6uHWJQ1CSKddU8Lw
Date: Wed, 16 Oct 2019 13:40:27 +0000
Message-ID: <VI1PR08MB5360EC668FC3EBB6AA065444FA920@VI1PR08MB5360.eurprd08.prod.outlook.com>
References: <03B5BDAC-5B17-47B2-85D0-225DCCABDC42@ericsson.com> <024b01d5785d$51b3d7d0$f51b8770$@gmx.net> <0B7954B0-275B-45BE-9353-695612B7F5D3@ericsson.com>
In-Reply-To: <0B7954B0-275B-45BE-9353-695612B7F5D3@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 60c5849c-ccb4-4776-93b6-e0334875c308.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.83]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: b616f816-3cad-4943-5b92-08d7523e6d3f
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: VI1PR08MB3870:|AM6PR08MB3989:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <AM6PR08MB39893B6FEB0385567F46CE11FA920@AM6PR08MB3989.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:6790;OLM:6790;
x-forefront-prvs: 0192E812EC
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(136003)(39860400002)(396003)(366004)(13464003)(189003)(199004)(305945005)(66556008)(6116002)(76116006)(66476007)(2906002)(2201001)(26005)(64756008)(6436002)(478600001)(6506007)(5660300002)(186003)(102836004)(53546011)(3846002)(966005)(74316002)(66946007)(33656002)(7736002)(66446008)(6246003)(7696005)(76176011)(11346002)(446003)(99286004)(66066001)(14454004)(71190400001)(71200400001)(8936002)(55016002)(486006)(52536014)(81166006)(476003)(2501003)(25786009)(8676002)(9686003)(81156014)(229853002)(14444005)(256004)(110136005)(86362001)(6306002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3870; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: N9j5BWWyxcMhxg20NH5fD0GIBH1XQeSA+Ov114HFwAVIzkowWh3+hpumRo9z9zvZrnNO4pXAvrw5bNnl7/UaMzskwk5fDFft8/1aGJt5VuIdUoeGIK7d+PWIgbWFFYhsX4hxF7IqSiXaCsEAUYEqSfb30J8+p0iLc5mUGXyDWKxTCwLc2BMUMfV6N6srXLLz4yoZSC7Xpyc2JPO3ehiUPf9Ph3VE4FiWTBce6X5o0nH3PHozEpdFwqnokhxDoclMIthrpwwXN5wGyN/n+QxyWMHeipN8G83xZV+zD98nA5nLxXAnbmdEtIbgXHQfvNDSurj1Ivr52HWfJpF7FTISImCl7rjH/9jaYIcPpdc81luGYgQX+KLGy1OkzuBakn1Yv1mMhBduyBCG8LmFMETxtTV+DLSFjQRA6IhXqOQmbIaa8aLSuwOtbTPHBVdRZBuKFs2qphMcdslxb13gXQqjEQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3870
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT059.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(346002)(39860400002)(376002)(1110001)(339900001)(13464003)(199004)(189003)(40434004)(14444005)(11346002)(9686003)(336012)(446003)(47776003)(2201001)(6116002)(3846002)(8936002)(450100002)(74316002)(2906002)(33656002)(7736002)(229853002)(436003)(86362001)(5024004)(305945005)(52536014)(102836004)(6306002)(7696005)(70206006)(6506007)(53546011)(26826003)(22756006)(55016002)(14454004)(76130400001)(186003)(2501003)(76176011)(478600001)(26005)(966005)(5660300002)(316002)(476003)(8676002)(50466002)(81156014)(81166006)(99286004)(356004)(110136005)(486006)(6246003)(66066001)(70586007)(126002)(25786009)(23676004)(2486003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3989; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Fail; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 0f6e2a7c-f4b6-4c1b-669f-08d7523e67b3
X-Forefront-PRVS: 0192E812EC
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 3ulNnLwMQ70mCKB6KErHTfxLvm+JdZvChcgewAo4h3U+mcEX7k9YWZK3szCbmuY+k5uuX5wdGjDFhaknTk7xmAZ3i0DDmQ59wpF56GcUAlw4hqHv45urChMEib8DmRjjwT587ghCgnBC95E3mdshS2A0jrEqHCh/xnO9Y6VZ5wiJ/VjuHUwVwdo8QBYj91aH8JdxJtVCHW1U4y6cfxeQCqBBf+2XLHpkQgaGJlb4kAKR6NUKYhDcrj3cVQwY6gydml1nZQnPeih2ys3UedGkTGaWlfttPWfZcxWu86zmk5+KIyBUaYNnh92GThClZQuzARxrwk9h69jBJEFE5eTfHNYm4SkvBCcgS/FuN/jA1pft8KfxYM+8cviP307FrLyvrlKleUQuSegDpr95n+UlHE7wRpTzIq3isMw9J564gTlGtktV8Gt5F+ZhUFPcLtt7IlsSbC4gtgJgx1gK0uYHIA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Oct 2019 13:40:36.9812 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b616f816-3cad-4943-5b92-08d7523e6d3f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3989
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rJuFGix2E4Kj-aVAEk1Zw50-tqg>
Subject: Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 13:40:47 -0000
John, you reference RFC 7540 and I believe you wanted to refer to RFC 7925 instead. RFC 7925 talks about the Extended Master Secret extension, Signature Algorithm extension, and OCSP stapling. Ciao Hannes -----Original Message----- From: saag <saag-bounces@ietf.org> On Behalf Of John Mattsson Sent: Samstag, 5. Oktober 2019 12:36 To: hannes.tschofenig@gmx.net; TLS@ietf.org; saag@ietf.org Subject: Re: [saag] [TLS] Lessons learned from TLS 1.0 and TLS 1.1 deprecation "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net> wrote: > PS: As Kathleen noted TLS 1.2 and DTLS 1.2 are perfectly fine if you follow RFC 7925/7525. While TLS 1.2 and DTLS 1.2 can be configured to be secure, RFC 7525 is definitely not enough. RFC 7540 would be a good start, but also that would need to be extended with support of extensions like Extended Master Secret, Signature Algorithms, and Certificate Status Request to be considered fine in 2019. Cheers, John _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [TLS] Lessons learned from TLS 1.0 and TLS 1.1 de… John Mattsson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Salz, Rich
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Kathleen Moriarty
- Re: [TLS] [saag] Lessons learned from TLS 1.0 and… Michael Richardson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Daniel Migault
- Re: [TLS] [saag] Lessons learned from TLS 1.0 and… Daniel Migault
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Martin Thomson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Stephen Farrell
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Daniel Migault
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Martin Thomson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Stephen Farrell
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Daniel Migault
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Simon Bernard
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Salz, Rich
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Eric Rescorla
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Salz, Rich
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… David Benjamin
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Benjamin Kaduk
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Stephen Farrell
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Daniel Migault
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… John Mattsson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… John Mattsson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Kathleen Moriarty
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Kathleen Moriarty
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… hannes.tschofenig
- Re: [TLS] [saag] Lessons learned from TLS 1.0 and… Michael Richardson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Daniel Migault
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Peter Gutmann
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… John Mattsson
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Christopher Wood
- Re: [TLS] Lessons learned from TLS 1.0 and TLS 1.… Hannes Tschofenig