Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)

Dave Garrett <davemgarrett@gmail.com> Fri, 22 May 2015 03:04 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 465621A903A for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ykusE9sdBmX for <tls@ietfa.amsl.com>; Thu, 21 May 2015 20:04:13 -0700 (PDT)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13D21A9039 for <tls@ietf.org>; Thu, 21 May 2015 20:04:13 -0700 (PDT)
Received: by qgez61 with SMTP id z61so2899359qge.1 for <tls@ietf.org>; Thu, 21 May 2015 20:04:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=Jb7CM0iN2/RpHCKu1gtPPHEgn/zbje4xil73wU2b6gs=; b=EkFHss3aN9sEOfs80E2mGDe6GE1PNOBYxbtWNkxF2ErXq8nfZo/gMvVx6T/jwCzzLr bu0nKEztT/ChgHvAwv+tkwqrzbtx2FTlmYbwBtip0c/kz6f10+jBUW1dVr1wpsBPqtDB gGy5Tzw8+SE6RqDB7DOVitTRGodJG5b5MJQGE+zamlW2YfX6pGeFsfVn0ZOazdByx8/P 9mvQ2QrXJSoAOS8HWTSjTghMXkvDrIYt5fdoZMpiKfKuulyMt7aJ+Cq2iHm0LMSGbfNC x/9brThULsE7S+Pajzk6UeN8oZHEVI6cybssSg4Ymc2GN2pfnWEuAJyVbzq0x6EsG17n ditg==
X-Received: by 10.140.150.209 with SMTP id 200mr8606337qhw.31.1432263852941; Thu, 21 May 2015 20:04:12 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id d69sm549185qhc.3.2015.05.21.20.04.12 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 21 May 2015 20:04:12 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Thu, 21 May 2015 23:04:11 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <201505211210.43060.davemgarrett@gmail.com> <20150522025214.GA21141@typhoon.azet.org> <CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com>
In-Reply-To: <CAHOTMVJ1i+h3x8UShLhku5VcFiB4RRrUmPZL6cz7LnHMeHzAFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201505212304.11513.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uEtkgmoIX8jNFafDOs3MIxRyQRg>
Subject: Re: [TLS] prohibit <1.2 support on 1.3+ servers (but allow clients)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 03:04:15 -0000

On Thursday, May 21, 2015 10:56:22 pm Tony Arcieri wrote:
> On Thu, May 21, 2015 at 7:52 PM, Aaron Zauner <azet@azet.org>; wrote:
> > So how about that TLSv1-diediedie document? :)
> 
> I am very much +1 for more diediedie documents ;)

I'm certainly not going to argue against that. ;)

That said, the RC4 diediedie is getting largely ignored. To actually kill something like this off, it seems to need to be done as a panic response or as a requirement of something new that everyone starts together. (e.g. SSL3 diediedie or old TLS with HTTP/2) Thus was my reasoning for at least attempting to suggest it here. :|


Dave