Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
Jeffrey Walton <noloader@gmail.com> Wed, 03 June 2015 21:14 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C401B2F19 for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 14:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4b4yIyl4OfeG for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 14:14:53 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A771B2F1C for <tls@ietf.org>; Wed, 3 Jun 2015 14:14:53 -0700 (PDT)
Received: by igbyr2 with SMTP id yr2so123680156igb.0 for <tls@ietf.org>; Wed, 03 Jun 2015 14:14:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=pv4UhhH3DWQ3j/+k6NWNTsPcJ4Db3BFLYzdY9Ighbzo=; b=BHfUv07oqTOFUWeKCBBoHAXtdZ5mlbAdCSaH3zCm+9c6OcovZNjTtWPkEumxYYWKmX beWb6avuAbGUoa+Svw+wISAl2QE/JKZ5kUcn3pBey8ALqU58cnBApp/2kwYhDVyP5OtR +xzvv/cw7raS1xJr+MAvzs3Ps1EZF5B061Wq3VQjRv0P5Y30ejYrXGQKkh6TAKI/DMz/ n6ZdxuQ2tuDcSwUEWNIvHcTPC9/A7aaEVhSxPg5RG86moB/+WQx4Y8U1eaQ9VfFCq6LS 9WPMeqj4to7I/98Zy7sAzajqPFnUC5hco7803bBm7EzBg/tvfEFuZKooTmbkJ4HTvT0B cMGg==
MIME-Version: 1.0
X-Received: by 10.50.25.162 with SMTP id d2mr880199igg.11.1433366092764; Wed, 03 Jun 2015 14:14:52 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Wed, 3 Jun 2015 14:14:52 -0700 (PDT)
In-Reply-To: <CAHOTMV+PUtkkC3Hy5BRQ+of+13F+2Jp+kSpqhFcm9Av984hLnA@mail.gmail.com>
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <201506031323.37163.davemgarrett@gmail.com> <877frk7keg.fsf@alice.fifthhorseman.net> <201506031613.13571.davemgarrett@gmail.com> <CAHOTMV+PUtkkC3Hy5BRQ+of+13F+2Jp+kSpqhFcm9Av984hLnA@mail.gmail.com>
Date: Wed, 03 Jun 2015 17:14:52 -0400
Message-ID: <CAH8yC8nyR4YFHXqbG8F+ne=Usin9Chrn2wStAai1sr_ehAueqA@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rqKSmfFVQvcRwSrpXZm65gXoYzo>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 21:14:54 -0000
On Wed, Jun 3, 2015 at 4:50 PM, Tony Arcieri <bascule@gmail.com> wrote: > > > On Wednesday, June 3, 2015, Dave Garrett <davemgarrett@gmail.com> wrote: >> >> The topic brought up by Tony Arcieri was the apparent plague of old Java >> clients using TLS currently. A replacement set of cipher suites would >> transparently fix this in a simpler way. It adds more suites, yes, but it >> would ensure that this is only ever even _attempted_ to be negotiated >> between clients and servers that both support them properly. > > > That's "half the battle", IMO, and I think the other half of my argument was > lost in a swarm of "LOL Java, there's your problem" responses. I also called > out the "what about a catastrophic ECC failure?" in advance and yet that is > somehow the main "pedantic" response I've been receiving to my complaints. > One thing to keep in mind with the Java clients... SSLSocketFactory.getInstance("TLS"); will return a socket with SSLv3 and TLS 1.0 enabled. You will also get the cipher suite zoo enabled. TLS 1.1 and 1.2 were even disabled for Java 7 (Java 8 finally enabled them). You have to jump through hoops to get something sane, like "TLS 1.0 and above with reasonable cipher suites". See, for example, http://stackoverflow.com/a/23365536/608639. So its not clear you would get desired behavior regardless of what happens. Old clients won't get the updates, and old and new code often won't utilize seek out desired socket behavior. Jeff
- [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dh… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Yuhong Bao
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Yuhong Bao
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Yuhong Bao
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Garrett
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Michael D'Errico
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Bowen
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Garrett
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Kern
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Garrett
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Jeffrey Walton
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Garrett
- [TLS] drop ffdhe2048? (was: I-D Action: draft-iet… Dave Garrett
- Re: [TLS] drop ffdhe2048? (was: I-D Action: draft… Eric Rescorla
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Dave Kern
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Tony Arcieri