Re: [TLS] [CAUTION] Re: Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 11 July 2018 16:39 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F321130F67 for <tls@ietfa.amsl.com>; Wed, 11 Jul 2018 09:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8134Arx_uoIx for <tls@ietfa.amsl.com>; Wed, 11 Jul 2018 09:39:19 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D3A5130E69 for <tls@ietf.org>; Wed, 11 Jul 2018 09:39:19 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id c5-v6so21596213qth.5 for <tls@ietf.org>; Wed, 11 Jul 2018 09:39:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cimhSuNJx58DOv+KPjZH/pNfYsb5mmYxAQST8AHYNsA=; b=G3je+5yojDPVdjFUmoz8iWBZDmsBla4R+Nu6Y/rK2FbxidsN4JfBrZR6qVqjbDj3tY OPHbUWWMRLYJzkuHK20uEblTSdSfYJSkmfuXdDH3XOhuFSN9aQuGScEuLk2rNX6yUxZK Py4kH3fQqTMRH4HT1g3avmiqliXppvRCUkoijfT58B6mLWvy0ifODw3iNdyVHfb0YkAT OMa70mtP3HhFR+41lD5Z1WRlgQJU5FpMcAZwsGIJ/nJrdWNw9vo8tav0a3d3/ejWP0XE uwvQrLT1izQL3oiXAgEqFG8SJKq5S5kiPFpzdNpLazjAxgqYmD0ACl8ZPb5AK2IsvMj3 5jEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cimhSuNJx58DOv+KPjZH/pNfYsb5mmYxAQST8AHYNsA=; b=GULXIYmLxQyLCkUHWYIcdfVQGD6Bzqm7hz1N57zl6l9R3FE7882iVu2d81teqbBAyu SnboSCKtfTj6cJCNb2qNnlApjucylZ4FNpIjOfbPk7QTNLHOkblLSLpMv2Zlt8hNvDvZ LVjbnzyo82hBotPGKjQMMheABbkmMNA7nhO+ddG2POcPDoJ/s3yk3S6GiAqWdd2fa0MS gC8ZryTIws2GUYHS5nMaW8YMmJwuENSCJRHMnHAiaig983GQQlL4JNTs9Or9BOwI3d3c /k1UcaZ98NLSps0QF1ac+IA3nMmf/gl9A90J9hivIKbM5kFODBf9c++KwRzQ6ngVmSNL d89A==
X-Gm-Message-State: APt69E0GQRAbNFslc5BrlDob3PL6/rA7hNp/cMdaOhZArz2ObsKi+seI snErF5SP3WSMgJYMYbzqgYDRT41p
X-Google-Smtp-Source: AAOMgpfD4MkYi6mSxDzHeEf5JM9PBfOBPRkXnyeiIvGsxI4X/JxNNzb2mAI9uR6uG6AYeP6CKuKJDg==
X-Received: by 2002:ac8:1987:: with SMTP id u7-v6mr28381939qtj.296.1531327158468; Wed, 11 Jul 2018 09:39:18 -0700 (PDT)
Received: from [192.168.1.210] (209-6-121-113.s2671.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.121.113]) by smtp.gmail.com with ESMTPSA id w13-v6sm5507819qtc.88.2018.07.11.09.39.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jul 2018 09:39:17 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (15E216)
In-Reply-To: <20180710203132.A21CB409B@ld9781.wdf.sap.corp>
Date: Wed, 11 Jul 2018 12:39:16 -0400
Cc: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <646B8AB5-A03C-4B3D-BC3C-139AFD426AB5@gmail.com>
References: <152934875755.3094.4484881874912460528.idtracker@ietfa.amsl.com> <CAHbuEH5J-F2cKag02Vx416jsy1N6XZOju28H99WAt71Pc5optg@mail.gmail.com> <CABcZeBN4RPt_=zu-PTPeaYbQ4KxC8DAf=a7359pZDjYavpxecw@mail.gmail.com> <CABcZeBMzweULuOfxe_Dp7n6M7Lt77_1Qq92=KzfmuBeShUSCDQ@mail.gmail.com> <CY4PR21MB0774BE80A4424D41D0C8C4138C440@CY4PR21MB0774.namprd21.prod.outlook.com> <20180709222007.AF5BD409B@ld9781.wdf.sap.corp> <20180710203132.A21CB409B@ld9781.wdf.sap.corp>
To: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/txiZ2xm-BWfG2QTKZeTLbX_Mz7k>
Subject: Re: [TLS] [CAUTION] Re: Fwd: New Version Notification for draft-moriarty-tls-oldversions-diediedie-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 16:39:22 -0000


Sent from my mobile device

> On Jul 10, 2018, at 4:31 PM, Martin Rex <mrex@sap.com> wrote:
> 
> mrex@sap.com (Martin Rex) wrote:
>> Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org> wrote:
>>> 
>>> On the recent Windows versions, TLS 1.0 is negotiated more than 10%
>>> of the time on the client side (this includes non-browser connections
>>> from all sorts of apps, some hard-coding TLS versions),
>>> and TLS 1.1 accounts for ~0.3% of client connections.
>> 
>> "On recent Windows versions" sounds like figure might not account
>> for Windows 7 and Windows Server 2008R2, about half of the installed
>> base of Windows, and where the numbers are likely *MUCH* higher.
>> 
>> When troubleshooting TLS handshake failures, I sometimes trying
>> alternative SSL/TLS clients on customer machines through remote support,
>> and it seems when I run this command on a Windows 2012R2 server:
>> 
>>        powershell "$web=New-Object System.Net.WebClient ; $web.DownloadString('https://www.example.com/')" 2>&1
>> 
>> it connects with TLSv1.0 only, and this is a client-side limitation.
>> 
>> To make it use TLSv1.2, I would have to use
>> 
>>        powershell "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; $web=New-Object System.Net.WebClient ; $web.DownloadString('https://www.example.com/')" 2>&1
>> 
>> i.e. explicit opt-in.
> 
> 
> btw. I checked this on a Windows 10 (1709) machine, and it's powershell also
> tries connecting with TLSv1.0 only.
> 
> To me, it looks more like 100% of the Microsoft Windows installed
> base not being ready for a TLSv1.2-only world.
> 
Martin,

Do you want to add a PR with this unless further verification is needed?

Thank you,
Kathleen 

> 
> -Martin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls