Diff: draft-ietf-tls-oldversions-deprecate-03.txt - draft-ietf-tls-oldversions-deprecate-04.txt

	draft-ietf-tls-oldversions-deprecate-03.txt	draft-ietf-tls-oldversions-deprecate-04.txt

	Internet Engineering Task Force K. Moriarty	Internet Engineering Task Force K. Moriarty
	Internet-Draft Dell EMC	Internet-Draft Dell EMC
	Updates: 8465 8422 8261 7568 7562 7525 S. Farrell	Updates: 8465 8422 8261 7568 7562 7525 S. Farrell
	7507 7465 7030 6750 6749 6739 Trinity College Dublin	7507 7465 7030 6750 6749 6739 Trinity College Dublin

	6460 6084 6083 6367 6347 6176 March 26, 2019	6460 6084 6083 6367 6347 6176 May 10, 2019
	6042 6012 5878 5734 5469 5456	6042 6012 5878 5734 5469 5456
	5422 5415 5364 5281 5263 5238	5422 5415 5364 5281 5263 5238
	5216 5158 5091 5054 5049 5024	5216 5158 5091 5054 5049 5024
	5023 5019 5018 4992 4976 4975	5023 5019 5018 4992 4976 4975
	4964 4851 4823 4791 4785 4744	4964 4851 4823 4791 4785 4744
	4743 4732 4712 4681 4680 4642	4743 4732 4712 4681 4680 4642
	4616 4582 4540 4531 4513 4497	4616 4582 4540 4531 4513 4497
	4279 4261 4235 4217 4168 4162	4279 4261 4235 4217 4168 4162
	4111 4097 3983 3943 3903 3887	4111 4097 3983 3943 3903 3887
	3871 3856 3767 3749 3656 3568	3871 3856 3767 3749 3656 3568
	3552 3501 3470 3436 3329 3261	3552 3501 3470 3436 3329 3261
	(if approved)	(if approved)
	Intended status: Best Current Practice	Intended status: Best Current Practice

	Expires: September 27, 2019	Expires: November 11, 2019

	Deprecating TLSv1.0 and TLSv1.1	Deprecating TLSv1.0 and TLSv1.1

	draft-ietf-tls-oldversions-deprecate-03	draft-ietf-tls-oldversions-deprecate-04

	Abstract	Abstract

	This document, if approved, formally deprecates Transport Layer	This document, if approved, formally deprecates Transport Layer
	Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves	Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves
	these documents to the historic state. These versions lack support	these documents to the historic state. These versions lack support
	for current and recommended cipher suites, and various government and	for current and recommended cipher suites, and various government and
	industry profiles of applications using TLS now mandate avoiding	industry profiles of applications using TLS now mandate avoiding
	these old TLS versions. TLSv1.2 has been the recommended version for	these old TLS versions. TLSv1.2 has been the recommended version for
	IETF protocols since 2008, providing sufficient time to transition	IETF protocols since 2008, providing sufficient time to transition

	skipping to change at page 2, line 20 ¶	skipping to change at page 2, line 20 ¶
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.	Drafts is at https://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on September 27, 2019.	This Internet-Draft will expire on November 11, 2019.

	Copyright Notice	Copyright Notice

	Copyright (c) 2019 IETF Trust and the persons identified as the	Copyright (c) 2019 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of	(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents

	skipping to change at page 2, line 43 ¶	skipping to change at page 2, line 43 ¶
	include Simplified BSD License text as described in Section 4.e of	include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as	the Trust Legal Provisions and are provided without warranty as
	described in the Simplified BSD License.	described in the Simplified BSD License.

	Table of Contents	Table of Contents

	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
	1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 4	1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 4
	1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4	1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
	2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4	2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4

	3. SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5	3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 5
	4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6	4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6
	5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6	5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6
	6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7	6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7

	7. Security Considerations . . . . . . . . . . . . . . . . . . . 7	7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
	8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8	8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
	9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8	9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
	10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8	10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
	10.1. Normative References . . . . . . . . . . . . . . . . . . 8	10.1. Normative References . . . . . . . . . . . . . . . . . . 8
	10.2. Informative References . . . . . . . . . . . . . . . . . 16	10.2. Informative References . . . . . . . . . . . . . . . . . 16

	Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21	Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22

	1. Introduction	1. Introduction

	skipping to change at page 4, line 7 ¶	skipping to change at page 4, line 7 ¶

	Deprecation of these versions is intended to assist developers as	Deprecation of these versions is intended to assist developers as
	additional justification to no longer support older TLS versions and	additional justification to no longer support older TLS versions and
	to migrate to a minimum of TLSv1.2. Deprecation also assists product	to migrate to a minimum of TLSv1.2. Deprecation also assists product
	teams with phasing out support for the older versions to reduce the	teams with phasing out support for the older versions to reduce the
	attack surface and the scope of maintenance for protocols in their	attack surface and the scope of maintenance for protocols in their
	offerings.	offerings.

	1.1. RFCs Updated	1.1. RFCs Updated


	This document updates these RFCs that normatively reference TLSv1.0	This document updates the following RFCs that normatively reference
	or TLSv1.1 or DTLS1.0 and have not been obsoleted: [RFC8465]	TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of
	[RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7507] [RFC7465]	these older versions. Fallback to these versions are prohibited
	[RFC6750] [RFC6749] [RFC6739] [RFC6460] [RFC6084] [RFC6083] [RFC6367]	through this update.
	[RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469] [RFC5456]
	[RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5216]	[RFC8465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7507]
	[RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5019]	[RFC7465] [RFC6750] [RFC6749] [RFC6739] [RFC6460] [RFC6084] [RFC6083]
	[RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC4823]	[RFC6367] [RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469]
	[RFC4791] [RFC4785] [RFC4744] [RFC4743] [RFC4732] [RFC4712] [RFC4681]	[RFC5456] [RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238]
	[RFC4680] [RFC4642] [RFC4616] [RFC4582] [RFC4540] [RFC4531] [RFC4513]	[RFC5216] [RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023]
	[RFC4497] [RFC4279] [RFC4261] [RFC4235] [RFC4217] [RFC4168] [RFC4162]	[RFC5019] [RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851]
	[RFC4111] [RFC4097] [RFC3983] [RFC3943] [RFC3903] [RFC3887] [RFC3871]	[RFC4823] [RFC4791] [RFC4785] [RFC4744] [RFC4743] [RFC4732] [RFC4712]
	[RFC3856] [RFC3767] [RFC3749] [RFC3656] [RFC3568] [RFC3552] [RFC3501]	[RFC4681] [RFC4680] [RFC4642] [RFC4616] [RFC4582] [RFC4540] [RFC4531]
	[RFC3470] [RFC3436] [RFC3329] [RFC3261]	[RFC4513] [RFC4497] [RFC4279] [RFC4261] [RFC4235] [RFC4217] [RFC4168]
		[RFC4162] [RFC4111] [RFC4097] [RFC3983] [RFC3943] [RFC3903] [RFC3887]
		[RFC3871] [RFC3856] [RFC3767] [RFC3749] [RFC3656] [RFC3568] [RFC3552]
		[RFC3501] [RFC3470] [RFC3436] [RFC3329] [RFC3261]

	In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and	In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and
	have been obsoleted: [RFC5101] [RFC5081] [RFC5077] [RFC4934]	have been obsoleted: [RFC5101] [RFC5081] [RFC5077] [RFC4934]
	[RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC4347] [RFC4244] [RFC4132]	[RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC4347] [RFC4244] [RFC4132]
	[RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC3489] [RFC3316]	[RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC3489] [RFC3316]

	In the case of [RFC4642], that has already been updated by [RFC8143]	In the case of [RFC4642], that has already been updated by [RFC8143]
	which makes an overlapping, but not quite the same, update as this	which makes an overlapping, but not quite the same, update as this
	document.	document.


	skipping to change at page 4, line 43 ¶	skipping to change at page 4, line 46 ¶
	1.2. Terminology	1.2. Terminology

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
	"OPTIONAL" in this document are to be interpreted as described in BCP	"OPTIONAL" in this document are to be interpreted as described in BCP
	14 [RFC2119] [RFC8174] when, and only when, they appear in all	14 [RFC2119] [RFC8174] when, and only when, they appear in all
	capitals, as shown here.	capitals, as shown here.

	2. Support for Deprecation	2. Support for Deprecation


	Industry has actively followed guidance provided by NIST and the PCI
	Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2
	should remain a minimum baseline for TLS support at this time.

	Specific details on attacks against TLSv1.0 and TLSv1.1 as well as	Specific details on attacks against TLSv1.0 and TLSv1.1 as well as
	their mitigations are provided in NIST SP800-52r2 [NIST800-52r2], RFC	their mitigations are provided in NIST SP800-52r2 [NIST800-52r2], RFC
	7457 [RFC7457] and other referenced RFCs. Although the attacks have	7457 [RFC7457] and other referenced RFCs. Although the attacks have
	been mitigated, if support is dropped for future library releases for	been mitigated, if support is dropped for future library releases for
	these versions, it is unlikely attacks found going forward will be	these versions, it is unlikely attacks found going forward will be
	mitigated in older library releases.	mitigated in older library releases.

	NIST for example have provided the following rationale, copied with	NIST for example have provided the following rationale, copied with
	permission from NIST SP800-52r2 [NIST800-52r2], section 1.2 "History	permission from NIST SP800-52r2 [NIST800-52r2], section 1.2 "History
	of TLS" (with references changed for RFC formatting).	of TLS" (with references changed for RFC formatting).

	skipping to change at page 5, line 41 ¶	skipping to change at page 5, line 41 ¶

	TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant	TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant
	change to TLS that aims to address threats that have arisen over	change to TLS that aims to address threats that have arisen over
	the years. Among the changes are a new handshake protocol, a new	the years. Among the changes are a new handshake protocol, a new
	key derivation process that uses the HMAC-based Extract-and-Expand	key derivation process that uses the HMAC-based Extract-and-Expand
	Key Derivation Function (HKDF), and the removal of cipher suites	Key Derivation Function (HKDF), and the removal of cipher suites
	that use static RSA or DH key exchanges, the CBC mode of	that use static RSA or DH key exchanges, the CBC mode of
	operation, or SHA-1. The list of extensions that can be used with	operation, or SHA-1. The list of extensions that can be used with
	TLS 1.3 has been reduced considerably.	TLS 1.3 has been reduced considerably.


	The Canadian government treasury board have also mandated that these	The German Federal Office for Information Security, recommends
	old versions of TLS not be used. [Canada]	against use of TLS versions less than 1.2 in the publication
		Cryptographic Mechanisms: Recommendations and Key Lengths
	Various companies and web sites have announced plans to deprecate	[TR-02102-2].
	these old versions of TLS.


	3. SHA-1	3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1

	The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1	The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1
	hash of the exchanged messages. This makes it possible to perform a	hash of the exchanged messages. This makes it possible to perform a
	downgrade attack on the handshake by an attacker able to perform 2^77	downgrade attack on the handshake by an attacker able to perform 2^77
	operations, well below the acceptable modern security margin.	operations, well below the acceptable modern security margin.

	Similarly, the authentication of the handshake depends on signatures	Similarly, the authentication of the handshake depends on signatures
	made using SHA-1 hash or a not stronger concatenation of MD-5 and	made using SHA-1 hash or a not stronger concatenation of MD-5 and
	SHA-1 hashes, allowing the attacker to impersonate a server when it	SHA-1 hashes, allowing the attacker to impersonate a server when it
	is able to break the severely weakened SHA-1 hash.	is able to break the severely weakened SHA-1 hash.

	skipping to change at page 7, line 22 ¶	skipping to change at page 7, line 22 ¶
	layer version number (TLSPlaintext.version) could contain when	layer version number (TLSPlaintext.version) could contain when
	sending ClientHello. Appendix E of [RFC5246] notes that	sending ClientHello. Appendix E of [RFC5246] notes that
	TLSPlaintext.version could be selected to maximize interoperability,	TLSPlaintext.version could be selected to maximize interoperability,
	though no definitive value is identified as ideal. That guidance is	though no definitive value is identified as ideal. That guidance is
	still applicable; therefore, TLS servers MUST accept any value	still applicable; therefore, TLS servers MUST accept any value
	{03,XX} (including {03,00}) as the record layer version number for	{03,XX} (including {03,00}) as the record layer version number for
	ClientHello, but they MUST NOT negotiate TLSv1.1.	ClientHello, but they MUST NOT negotiate TLSv1.1.

	6. Updates to RFC7525	6. Updates to RFC7525


		RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer
		Security (TLS) and Datagram Transport Layer Security (DTLS)", is the
		most recent best practice document for implementing TLS and was based
		on TLSv1.2. At the time of publication, TLSv1.0 and TLSv1.1 had not
		yet been deprecated. As such, this document is called out
		specifically to update text implementing the deprecation
		recommendations of this document.

	This documents updates [RFC7525] Section 3.1.1 changing SHOULD NOT to	This documents updates [RFC7525] Section 3.1.1 changing SHOULD NOT to
	MUST NOT as follows:	MUST NOT as follows:

	o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246].	o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246].

	Rationale: TLSv1.0 (published in 1999) does not support many	Rationale: TLSv1.0 (published in 1999) does not support many
	modern, strong cipher suites. In addition, TLSv1.0 lacks a per-	modern, strong cipher suites. In addition, TLSv1.0 lacks a per-
	record Initialization Vector (IV) for CBC-based cipher suites and	record Initialization Vector (IV) for CBC-based cipher suites and
	does not warn against common padding errors.	does not warn against common padding errors.


	skipping to change at page 8, line 9 ¶	skipping to change at page 8, line 16 ¶

	This document deprecates two older protocol versions for security	This document deprecates two older protocol versions for security
	reasons already described. The attack surface is reduced when there	reasons already described. The attack surface is reduced when there
	are a smaller number of supported protocols and fallback options are	are a smaller number of supported protocols and fallback options are
	removed.	removed.

	8. Acknowledgements	8. Acknowledgements

	Thanks to those that provided usage data, reviewed and/or improved	Thanks to those that provided usage data, reviewed and/or improved
	this document, including: David Benjamin, David Black, Viktor	this document, including: David Benjamin, David Black, Viktor

	Dukhovni, Julien Elie, Alessandro Ghedini, Jeremy Harris, Russ	Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini, Jeremy
	Housley, Hubert Kario, John Mattsson, Eric Mill, Yoav Nir, Andrei	Harris, Russ Housley, Hubert Kario, John Mattsson, Eric Mill, Yoav
	Popov, Eric Rescorla, Yaron Sheffer, Robert Sparks, Loganaden	Nir, Andrei Popov, Eric Rescorla, Yaron Sheffer, Robert Sparks,
	Velvindron, https://github.com/yaleman, and Jakub Wilk.	Martin Thomson, Loganaden Velvindron, https://github.com/yaleman, and
		Jakub Wilk.

	[[Note to RFC editor: At least Julien Elie's name above should have	[[Note to RFC editor: At least Julien Elie's name above should have
	an accent on the first letter of the surname. Please fix that and	an accent on the first letter of the surname. Please fix that and
	any others needing a similar fix if you can, I'm not sure the tooling	any others needing a similar fix if you can, I'm not sure the tooling
	I have now allows that.]]	I have now allows that.]]

	9. IANA Considerations	9. IANA Considerations

	[[This memo includes no request to IANA.]]	[[This memo includes no request to IANA.]]


	skipping to change at page 21, line 5 ¶	skipping to change at page 20, line 36 ¶
	<https://www.rfc-editor.org/info/rfc8446>.	<https://www.rfc-editor.org/info/rfc8446>.

	[RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS	[RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS
	and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018,	and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018,
	<https://www.rfc-editor.org/info/rfc8447>.	<https://www.rfc-editor.org/info/rfc8447>.

	[TGPP33310]	[TGPP33310]
	3GPP, "TS 33.310 - Network Domain Security (NDS);	3GPP, "TS 33.310 - Network Domain Security (NDS);
	Authentication Framework (AF)", 2016.	Authentication Framework (AF)", 2016.


		[TR-02102-2]
		The German Federal Office for Information Security https:/
		/www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/
		TechGuidelines/TG02102/BSI-TR-02102-2.pdf, "Technical
		Guideline TR-02102-2 Cryptographic Mechanisms:
		Recommendations and Key Lengths", 2019.

	Appendix A. Change Log	Appendix A. Change Log

	[[RFC editor: please remove this before publication.]]	[[RFC editor: please remove this before publication.]]

	From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls-	From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls-
	oldversions-deprecate-03:	oldversions-deprecate-03:

	o Added 8261 to updates list based on IETF-104 meeting.	o Added 8261 to updates list based on IETF-104 meeting.

	From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls-	From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls-

End of changes. 13 change blocks.
	34 lines changed or deleted	48 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/