Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

David Benjamin <> Mon, 11 January 2016 23:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DBD931A8ADF for <>; Mon, 11 Jan 2016 15:17:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BD3H0FCi40OC for <>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 56E941A8F4D for <>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
Received: by with SMTP id h5so80643189igh.0 for <>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=EUN6prsYkvWrznhmlADeCho/Trmm6ExqI4s6ZA2/0WY=; b=l8QOo4USpw2lU4wxJ0q7QF/w6fqAmiSZiCfqEeWkvAIq7Gge7xIwjnFcvewwRMH0TN tvVYmsddlvJ6y2DDqZ4rCuz2XEW9UZnjoKgnInRX5OXExpaMa4mGBM4QkXXHpOLza8qI 7YZW7gl5XDYt3kC+Hf4bzksJhqrHboMtbelI0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=EUN6prsYkvWrznhmlADeCho/Trmm6ExqI4s6ZA2/0WY=; b=Wr0OmxNcsCJK8x/6Tg8knmEPxPDyZml3icMDtJLeB+qhjLa3+tmZPwgXnK23ueiWDJ Qp2hELM4RLdvxFzyo2c7JiotlJzivIO4ffoUY+ypxHgy2bEi0jnCsHOZdvrHlQbUY+Ua PY+DZkxNucHlQ1Wbe3g6qjyJ3NXnOfS1OLdpipZnXT8aIFXeKtXtZdXb92NhQj7MnZDY /OtEeHEkCLTmKGxURWnbAzsZZ6Yukvd0869spQ/a7oX7erdKdhChSUjbTGyCXf8y/3H4 BdZ/ry1IPvXmNuZrdsPyHsmr5vxwiF2i1VGjkdCt1pSLw06e61D+4pmZ4YrN21FAmwiq 9hiw==
X-Gm-Message-State: ALoCoQmvuVplTYrbc0I5wSieGtKDg/2J3P6zd7d+sv7Pw34Fyt68329eikl5EkDqrca5wSFpRICvGEibFjhqUwNKCi1b2ezNYMVWk/JbO2m+KjPaCXaUoh4=
X-Received: by with SMTP id aw8mr15267442igc.77.1452554231572; Mon, 11 Jan 2016 15:17:11 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: David Benjamin <>
Date: Mon, 11 Jan 2016 23:17:01 +0000
Message-ID: <>
To: Kurt Roeckx <>,
Content-Type: multipart/alternative; boundary=089e010d9562fdbef50529172255
Archived-At: <>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Jan 2016 23:17:14 -0000

In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing
around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and
it's likely that enterprise deployments are much worse.

I started gathering numbers on ServerKeyExchange hashes back in November.
The code isn't on Chrome's stable channel yet, but earlier channels say a
bit over 5% of ServerKeyExchanges are signed with SHA-1, which is also
quite high.

I also started probing servers in November and observed:
(a) Servers which always sign SHA-1.
(b) Servers which sign SHA-1 *unless* signature_algorithms omits it. Then
they sign SHA-256!?!!?
(c) Servers which sign SHA-2 but fail if signature_algorithms omits SHA-1.
The ones I looked at were all from serving SHA-1 certificates, so probably
their SSL stack compares certs against sig_algs.

(b) and (c) mean that getting a sense of the true impact will be
complicated until we finish getting SHA-1 certificates out of our system. I
have not dug into what's going on with groups (a) and (b) yet.

This all is not to say we shouldn't phase these out. But I do not expect it
to be a speedy process for browsers.


On Mon, Jan 11, 2016 at 1:30 PM Kurt Roeckx <>; wrote:

> Hi,
> After the SLOTH paper, we should think about starting to deprecate
> TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS
> 1.2.
> As I understand it, they estimate that both TLS 1.2 with SHA1 and
> TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be
> broken.  They all depend on the chosen prefix collision on SHA1,
> with the MD5 part in TLS 1.0 and 1.1 not adding much.
> It seems that disabling SHA1 in TLS 1.2 doesn't buy you anything
> unless you also disable TLS 1.0 and 1.1.
> Kurt
> _______________________________________________
> TLS mailing list