IETF Logo Mail Archive

Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 June 2022 06:18 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D9BC14CF15 for <tools-discuss@ietfa.amsl.com>; Thu, 23 Jun 2022 23:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDeKEoFn_Mh5 for <tools-discuss@ietfa.amsl.com>; Thu, 23 Jun 2022 23:18:25 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21B49C14CF03 for <tools-discuss@ietf.org>; Thu, 23 Jun 2022 23:18:24 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 94878FE26A; Fri, 24 Jun 2022 02:18:23 -0400 (EDT)
Date: Fri, 24 Jun 2022 02:18:23 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tools-discuss@ietf.org
Message-ID: <YrVXL7p0K7uaWndI@straasha.imrryr.org>
References: <492E44F3-68AB-4252-925E-53A48D5D16FA@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <492E44F3-68AB-4252-925E-53A48D5D16FA@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/t1BY8Hqp768qPFBsP92h-zm-lTk>
Subject: Re: [Tools-discuss] Phasing out TLS 1.0/1.1 on IETF services
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2022 06:18:26 -0000

On Fri, Jun 24, 2022 at 05:51:48AM +0000, Eric Vyncke (evyncke) wrote:

> Based on feedback from our penetration testing contractor, and taking
> RFC8996 [1] into consideration, the IETF will begin phasing out TLS
> 1.0 and 1.1 on IETF services in the coming days,

Will this also apply to SMTP traffic to/from mail.ietf.org?

Given that most SMTP traffic is still unauthenticated STARTTLS, and that
fallback to cleartext is common after failure to deliver via TLS,
disabling TLS 1.0 and 1.1 in SMTP rarely has tangible security benefits.
It may simply result in more traffic using cleartext and delays in
message delivery.  Some sending systems don't recover from STARTTLS
failure, retrying the handshake until messages expire and bounce.

A review of the mail logs on mail.ietf.org may be appropriate to
determine whether there is still non-negligible use of TLS 1.0 with some
systems that exchange mail with ietf.org (actually deliver or receive
some mail after establishing a TLS 1.0 connection).

It is possible that ietf.org no longer exchanges mail with substantially
outdated systems that are limited to TLS 1.0, but this is worth checking.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email