Re: [TLS] supported_versions in TLS 1.2
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 24 November 2021 03:46 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7BC3A09A5 for <tls@ietfa.amsl.com>; Tue, 23 Nov 2021 19:46:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L_9lLHez7Snt for <tls@ietfa.amsl.com>; Tue, 23 Nov 2021 19:46:01 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C28E23A099E for <tls@ietf.org>; Tue, 23 Nov 2021 19:46:00 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2168.outbound.protection.outlook.com [104.47.71.168]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-48-iF_qeCO4PCq97mQrf292ZQ-1; Wed, 24 Nov 2021 14:45:56 +1100
X-MC-Unique: iF_qeCO4PCq97mQrf292ZQ-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SY2PR01MB2923.ausprd01.prod.outlook.com (2603:10c6:1:23::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.21; Wed, 24 Nov 2021 03:45:51 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::5df1:ed71:3acc:e8fd]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::5df1:ed71:3acc:e8fd%8]) with mapi id 15.20.4734.020; Wed, 24 Nov 2021 03:45:51 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Salz, Rich" <rsalz@akamai.com>, David Benjamin <davidben@chromium.org>, Peter Saint-Andre <stpeter@mozilla.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] supported_versions in TLS 1.2
Thread-Index: AQHX2v/aPKM/TpnIjEe6VsQEQTZM3qwGSzYAgAAI3YCAAAU5gIAA9nhogAB2UICAA49vAIAAB3sAgAEfDQCABZdPlw==
Date: Wed, 24 Nov 2021 03:45:51 +0000
Message-ID: <SY4PR01MB6251FEEB0EB5C3432CB0E08CEE619@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <cba86b0d-5100-05c0-e7d6-8cbe6abc0c92@mozilla.com> <20211116164248.7ed2ee00@computer> <31aab4dd-46d6-d62b-0116-c7e6cc307b85@mozilla.com> <CAF8qwaCJeGAWhX8RoDGuU54M6OP70ZqK6MqF_kaiGq0b50eJ_w@mail.gmail.com> <SY4PR01MB6251973DFBF3D3535FE3CEFAEE9A9@SY4PR01MB6251.ausprd01.prod.outlook.com> <5C1F59E5-EB9F-4888-BF1B-DE26B4B99CD1@akamai.com> <1d249bd4-6774-1235-f875-08ae526f8c2f@mozilla.com> <CAF8qwaBfG2K8EDy3VGFy_PF1bkVEFtj+x7euzZea2_r72Rnm-g@mail.gmail.com> <5289476D-ADAA-4049-8300-5D67BA20314A@akamai.com>
In-Reply-To: <5289476D-ADAA-4049-8300-5D67BA20314A@akamai.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 5efc3441-517b-cfac-7a8c-9c832575d1eb
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: be7cae1b-4f59-439e-b58b-08d9aefce8f7
x-ms-traffictypediagnostic: SY2PR01MB2923:
x-microsoft-antispam-prvs: <SY2PR01MB292379F471E9DD5FDC670EA2EE619@SY2PR01MB2923.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: G+ZdV9se3UkXkxH5TAUs5XwzBeo9Tk63H0dBLbroHn0q2ddLFvLmvqOY1r0ERXdt28122lml5gMana3jH9dNQD/LwjFnuIrnn4MIIcf4H5oVqx7E3kcPPQXF2o3JZV0msqp1ydQCu61Arvz25YdFjpjnn7wMewh0bH8Dm65i/X6Flf5e0Fd7dYMxGMnmO17SsYlVghSmXO4dpU1rNwHpLsf903W5o0GP1yOB6FF4AZKFD7QxaaMZmw1g8W/OIIh9RJrvdYC/7jH54ksAqDluqDjLJskvkvcSX8Vz/UszFLE0PPUs8WIxVr76VKcYuDhshaU7lTjUtFq/NWb95uftR7Mkl4AaW/IhwE+LVtzjah9hHpqBgROfRgsTrwiM1Vf7CMiSdT5JyGQablACC38wtbAOavsmhocBRAAfGzyr/l4YOvJ3nYvtZgaIEWERiJRC7Rbim6fvpleJcOAdGVmUCvYmV0lE4zp5swbrKvzCUB+WsMO289kD+i8LDw/ZwDGLtuttIdzTrjGEr5uTEUNpoTgMG6a9MUwZRnVq7n336W8AUG2QcOllM/BFsAGi/BXtIplKSbaTsRFRgVQZa5oa9ZO9J9e/eNmFR4ggTzWr7TpYtTFkty2OX7a8ueN6C5mt0YfyIytvtPQaP6aZbea0aVzNCuMHKPqjGEdaZeCME5poiGnyuHjLAn6AnuJbrbQJW5xP+78w5Zkr0FH3hO7HNg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(26005)(786003)(7696005)(9686003)(2906002)(64756008)(52536014)(316002)(110136005)(6506007)(66556008)(186003)(66446008)(66476007)(38100700002)(5660300002)(122000001)(508600001)(55016003)(71200400001)(4326008)(86362001)(8676002)(38070700005)(8936002)(66946007)(76116006)(33656002); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gpEMujqb8J3icJ4vSw/hc9shSiRYk5OYemma4LZ8GF/ApnVmNNttchMEBXYVbb69KDzuT8YheHmcvfEtM4CyC/y739wm7RF3GzXi4Ask+yk506ZlWh5BXO1PuKgONHSSZTTD7L+vUo5RntSC15Ha+Ijw6uDtL3BnrCk3DVamoMyuRYj0EoWtdiMz23dlpyeEpxvxL9RABS05vJGoy721lj6R/LoVlVe3JHb3s+0o7H3bjTqUlHyteU9ia4afzs6/aGbs5LKQ+R+OUliQejXj8Kmj1u0bjWNopkopPAXpggGTEDmXYwgdiGzz4ER/VHWEaqXI7/gWfnkXqkpKW4kOT4wILbLTcFe+WQc9qbjsth2S9Zm30h3Ad9R60Aiq+lX2O3HFW1Hl5/rqGQWu2Bympjs1LnVnMaROHumIhhZC3ymhdV876LMeG9cDzaKvuj1QLIbC7lZDzOhx2pULkZG3vKTlLAG2aRSXpRPJd6BUBgv2q29kSyAUSZQ63Tvk/h5E+iklSPqfSgAWWvmB/J6dtRexpfe5ZN1lANRI4GONXAN2HRdU71ywStVndhrehwphBUGBalYb7t/tVhdy3IW1SxNduUqTgVGCNxjNnkJqzDaToE01r3lGumYXa5WxcsYrtMykFZ6IVve2hQV9xQ7gpsegyQiIYtiYNVmYtDResik5U1C00etDxOt1dcS3INHn+OZQNuv4CFFPMa5BAHD8PUjxJz5rlzXyAUhw1V743AaAnJtRNuhlf0yf9f01ggSITRsqywJR0JW4hMCAZSF25FtVPMoCBSrAB0nFZsKuCSSen4yNpRNvWoPAYnPJnb2+Rs4RetOmrc0Lax/u3NFQSlifraynt97ra9iDkTw/ygpjo703FfDUoAPkepwJIfwHo1X0Z6DBRm7Bj2FSYv1aWk0/3HcOUz6SaEElTB6+WQIMuu8t5yBc+R/L3lDsF1k+qzuYxR5Pd1tMwpTpXKZnStJdDpZt5Zc21hmd6HlnsDKpqmuLHk4wvf1SAJYAJC/DaYTk+RSfHrtYFU1SQAAMQ0YBqxsjYG6ScidPoCGVdX+A3g1kTZn0auYRlGgYTTAvDX33gRXy8blGQ5fQ1Mg8EEGjPqnALwShNTIv1mNo+D41YGwwtQrOFM2muTQ02SzhqEQSO0b2aHP6/MSszFL9vRZTBveoeuvMfgGlnWFHsIKANgwLdzLjH2f/ulQ6FKMEprLfCn0qdVIT92TiJR6Lh5ENU/rIdEY4DOrFBaElRQ/YI1LnffJyXXp++WTRXPepsGYNWX+xfEbbqkI64PIQnobpRMg/2B21mEzcGijJpl/I0Q/8I+kI+oZtaNKk56SePBUiKg0eOIxast+RgnwCJLRD3u1gPrHtjfQFni7KJfBkoRv0XFQtD0IlS3xOme9BGSuEEC+66t6+WQ9Y4bZBID6lfNItEnDiGj0MTs8BwqcACJblR2koDJIZyo6ps7Ud85ZuBSbnwqgef+rxTdx7sn4CcpMoJABRi2xo7AjDyoDk6tKZTmtEqkmE3srjuD8Mm3MFsUHm3phfpuSL2V9uDBsuxbgil5AHtIXlKQRx4TwrVABLEu23RzqJXdCv+yyy55MHWrHT4+4i+MIpx8rYn59pKxQGrHQUfSz1muzNTqD3ts0m+38F7kCsl7jIy+q71i31RVVD0iR9/HdU+3YKxQ==
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: be7cae1b-4f59-439e-b58b-08d9aefce8f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2021 03:45:51.1084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SM9i22fBxEPTTxy9Am/lUpHUCbmewxe6fqGzP9EoFpURgQgyggw3VEywky2g9y1pczuJ6J+vMcElChFzNqu3qVfCdrzk5NAfcTolBLChitI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY2PR01MB2923
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/y3CS4zjqj4mW42Co4izxks3Bl5w>
Subject: Re: [TLS] supported_versions in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2021 03:46:05 -0000
Salz, Rich <rsalz@akamai.com> writes: >Peter has forgotten more about long-term embedded applications than the rest >of us have experience. I’ll leave it to him to say why it’s important. I was making a more general point about not assuming that the only thing that matters is TLS 1.3 vs. TLS 1.2, and that that's all that needs to be accommodated. Because of the TLS family A vs. family B protocol fork, there will be family A around more or less forever. For example just a few days ago I was part of a long conference call with a major global user who was looking at a minimum 15-year (but in practice I expect more like 20-30 year) support plan for an upcoming rollout of family A TLS. So just because TLS 1.3 exists doesn't mean all work on, and accommodation of, earlier versions should stop. In particular that's why I wrote the TLS-LTS doc, because that explains how to apply family A in the safest manner possible for the foreseeable future. In the specific case of supported_versions, there's no reason why the same thing can't be used to deal with e.g. TLS 1.0 -> TLS 1.2 version intolerance, which is still a thing. That's one thing that SSH did right (alongside a lot of stuff that TLS does much better), you can fingerprint a server via its ID string and work around problems when you connect without needing to change the code on the server you're connecting to. Peter.
- [TLS] supported_versions in TLS 1.2 Peter Saint-Andre
- Re: [TLS] supported_versions in TLS 1.2 Hanno Böck
- Re: [TLS] supported_versions in TLS 1.2 Peter Saint-Andre
- Re: [TLS] supported_versions in TLS 1.2 David Benjamin
- Re: [TLS] supported_versions in TLS 1.2 Salz, Rich
- Re: [TLS] supported_versions in TLS 1.2 Peter Gutmann
- Re: [TLS] supported_versions in TLS 1.2 Salz, Rich
- Re: [TLS] supported_versions in TLS 1.2 Peter Saint-Andre
- Re: [TLS] supported_versions in TLS 1.2 David Benjamin
- Re: [TLS] supported_versions in TLS 1.2 Peter Saint-Andre
- Re: [TLS] supported_versions in TLS 1.2 Salz, Rich
- Re: [TLS] supported_versions in TLS 1.2 Peter Gutmann
- Re: [TLS] supported_versions in TLS 1.2 Rob Sayre
- Re: [TLS] supported_versions in TLS 1.2 Peter Gutmann
- Re: [TLS] supported_versions in TLS 1.2 Rob Sayre
- Re: [TLS] supported_versions in TLS 1.2 Salz, Rich
- Re: [TLS] supported_versions in TLS 1.2 Christopher Wood
- Re: [TLS] supported_versions in TLS 1.2 Eric Rescorla
- Re: [TLS] supported_versions in TLS 1.2 Rob Sayre
- Re: [TLS] supported_versions in TLS 1.2 Salz, Rich
- Re: [TLS] [EXTERNAL] Re: supported_versions in TL… Andrei Popov
- Re: [TLS] [EXTERNAL] Re: supported_versions in TL… Peter Saint-Andre
- Re: [TLS] [EXTERNAL] Re: supported_versions in TL… Yaron Sheffer
- Re: [TLS] [EXTERNAL] Re: supported_versions in TL… Peter Saint-Andre