Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
Robert Sparks <rjsparks@nostrum.com> Mon, 27 June 2022 13:58 UTC
Return-Path: <rjsparks@nostrum.com>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148DEC157B36; Mon, 27 Jun 2022 06:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.56
X-Spam-Level:
X-Spam-Status: No, score=-3.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDKgr9RsN_UK; Mon, 27 Jun 2022 06:58:02 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62822C157B34; Mon, 27 Jun 2022 06:58:02 -0700 (PDT)
Received: from [192.168.1.114] ([47.186.48.51]) (authenticated bits=0) by nostrum.com (8.17.1/8.17.1) with ESMTPSA id 25RDvvvs054648 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 27 Jun 2022 08:57:58 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1656338281; bh=hCClfR9ucniItA+QZjdyRm7IUrlcbWxab64Spn/LuQs=; h=Date:Subject:To:References:From:In-Reply-To; b=GGZkIshwp7wK4jCUQZJ83lHpDddNvdjSNuXMQ84KUBpN8Gpmy4MmVch7H9BuOivNd UwuA/cadpDsIYdJIvco9zueIADvuvniSwLUIsHIe1AuMrnlGUNgqBohNgDEF+AhLoy zsPHinJS0VopsOLwJQGmy+3RORodXQXggLlXS/2E=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.48.51] claimed to be [192.168.1.114]
Content-Type: multipart/alternative; boundary="------------ZDfZdf9UhKLYELzpAGut478i"
Message-ID: <94bf5152-dc46-cb7d-f139-daa728e7b545@nostrum.com>
Date: Mon, 27 Jun 2022 08:57:52 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>, "tools-discuss@ietf.org" <tools-discuss@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <492E44F3-68AB-4252-925E-53A48D5D16FA@cisco.com>
From: Robert Sparks <rjsparks@nostrum.com>
In-Reply-To: <492E44F3-68AB-4252-925E-53A48D5D16FA@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/qbB_vRCP03H_28-xtRmExWkIkh8>
Subject: Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 13:58:06 -0000
I will make the change to configuration at CloudFlare tomorrow, early afternoon US Central. Only HTTPS traffic going through CloudFlare to *.ietf.org web services will be affected. RjS On 6/24/22 12:51 AM, Eric Vyncke (evyncke) wrote: > > Dear all, (please reply to tools-discuss@ietf.org only) > > Based on feedback from our penetration testing contractor, and > taking RFC8996[1]into consideration, the IETFwill begin phasing out > TLS 1.0 and 1.1 on IETF servicesin the coming days, > > We will begin [2] with requiring TLS 1.2 and above at Cloudflare and > monitor for issues[3]. We will then proceed making similar changes to > other services. > > Regards, > > -éric > > (liaison to the tools team for the IESG) > > [1] https://datatracker.ietf.org/doc/html/rfc8996 Deprecating TLS 1.0 > and TLS 1.1 > > [2] we will announce the change 24 hour in advance > > [3] monitoring potential drops in connection statistics as well as > opened cases > > > ___________________________________________________________ > Tools-discuss mailing list -Tools-discuss@ietf.org -https://www.ietf.org/mailman/listinfo/tools-discuss
- [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF s… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Viktor Dukhovni
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… S Moonesamy
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Eric Vyncke (evyncke)
- Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IE… Robert Sparks