draft-ietf-tls-oldversions-deprecate-03.txt   draft-ietf-tls-oldversions-deprecate-04.txt 
Internet Engineering Task Force K. Moriarty Internet Engineering Task Force K. Moriarty
Internet-Draft Dell EMC Internet-Draft Dell EMC
Updates: 8465 8422 8261 7568 7562 7525 S. Farrell Updates: 8465 8422 8261 7568 7562 7525 S. Farrell
7507 7465 7030 6750 6749 6739 Trinity College Dublin 7507 7465 7030 6750 6749 6739 Trinity College Dublin
6460 6084 6083 6367 6347 6176 March 26, 2019 6460 6084 6083 6367 6347 6176 May 10, 2019
6042 6012 5878 5734 5469 5456 6042 6012 5878 5734 5469 5456
5422 5415 5364 5281 5263 5238 5422 5415 5364 5281 5263 5238
5216 5158 5091 5054 5049 5024 5216 5158 5091 5054 5049 5024
5023 5019 5018 4992 4976 4975 5023 5019 5018 4992 4976 4975
4964 4851 4823 4791 4785 4744 4964 4851 4823 4791 4785 4744
4743 4732 4712 4681 4680 4642 4743 4732 4712 4681 4680 4642
4616 4582 4540 4531 4513 4497 4616 4582 4540 4531 4513 4497
4279 4261 4235 4217 4168 4162 4279 4261 4235 4217 4168 4162
4111 4097 3983 3943 3903 3887 4111 4097 3983 3943 3903 3887
3871 3856 3767 3749 3656 3568 3871 3856 3767 3749 3656 3568
3552 3501 3470 3436 3329 3261 3552 3501 3470 3436 3329 3261
(if approved) (if approved)
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: September 27, 2019 Expires: November 11, 2019
Deprecating TLSv1.0 and TLSv1.1 Deprecating TLSv1.0 and TLSv1.1
draft-ietf-tls-oldversions-deprecate-03 draft-ietf-tls-oldversions-deprecate-04
Abstract Abstract
This document, if approved, formally deprecates Transport Layer This document, if approved, formally deprecates Transport Layer
Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves
these documents to the historic state. These versions lack support these documents to the historic state. These versions lack support
for current and recommended cipher suites, and various government and for current and recommended cipher suites, and various government and
industry profiles of applications using TLS now mandate avoiding industry profiles of applications using TLS now mandate avoiding
these old TLS versions. TLSv1.2 has been the recommended version for these old TLS versions. TLSv1.2 has been the recommended version for
IETF protocols since 2008, providing sufficient time to transition IETF protocols since 2008, providing sufficient time to transition
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 27, 2019. This Internet-Draft will expire on November 11, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 43 skipping to change at page 2, line 43
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 4 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4
3. SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 5
4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6
5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6
6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7 6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
skipping to change at page 4, line 7 skipping to change at page 4, line 7
Deprecation of these versions is intended to assist developers as Deprecation of these versions is intended to assist developers as
additional justification to no longer support older TLS versions and additional justification to no longer support older TLS versions and
to migrate to a minimum of TLSv1.2. Deprecation also assists product to migrate to a minimum of TLSv1.2. Deprecation also assists product
teams with phasing out support for the older versions to reduce the teams with phasing out support for the older versions to reduce the
attack surface and the scope of maintenance for protocols in their attack surface and the scope of maintenance for protocols in their
offerings. offerings.
1.1. RFCs Updated 1.1. RFCs Updated
This document updates these RFCs that normatively reference TLSv1.0 This document updates the following RFCs that normatively reference
or TLSv1.1 or DTLS1.0 and have not been obsoleted: [RFC8465] TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of
[RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7507] [RFC7465] these older versions. Fallback to these versions are prohibited
[RFC6750] [RFC6749] [RFC6739] [RFC6460] [RFC6084] [RFC6083] [RFC6367] through this update.
[RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469] [RFC5456]
[RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5216] [RFC8465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7507]
[RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5019] [RFC7465] [RFC6750] [RFC6749] [RFC6739] [RFC6460] [RFC6084] [RFC6083]
[RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC4823] [RFC6367] [RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469]
[RFC4791] [RFC4785] [RFC4744] [RFC4743] [RFC4732] [RFC4712] [RFC4681] [RFC5456] [RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238]
[RFC4680] [RFC4642] [RFC4616] [RFC4582] [RFC4540] [RFC4531] [RFC4513] [RFC5216] [RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023]
[RFC4497] [RFC4279] [RFC4261] [RFC4235] [RFC4217] [RFC4168] [RFC4162] [RFC5019] [RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851]
[RFC4111] [RFC4097] [RFC3983] [RFC3943] [RFC3903] [RFC3887] [RFC3871] [RFC4823] [RFC4791] [RFC4785] [RFC4744] [RFC4743] [RFC4732] [RFC4712]
[RFC3856] [RFC3767] [RFC3749] [RFC3656] [RFC3568] [RFC3552] [RFC3501] [RFC4681] [RFC4680] [RFC4642] [RFC4616] [RFC4582] [RFC4540] [RFC4531]
[RFC3470] [RFC3436] [RFC3329] [RFC3261] [RFC4513] [RFC4497] [RFC4279] [RFC4261] [RFC4235] [RFC4217] [RFC4168]
[RFC4162] [RFC4111] [RFC4097] [RFC3983] [RFC3943] [RFC3903] [RFC3887]
[RFC3871] [RFC3856] [RFC3767] [RFC3749] [RFC3656] [RFC3568] [RFC3552]
[RFC3501] [RFC3470] [RFC3436] [RFC3329] [RFC3261]
In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and
have been obsoleted: [RFC5101] [RFC5081] [RFC5077] [RFC4934] have been obsoleted: [RFC5101] [RFC5081] [RFC5077] [RFC4934]
[RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC4347] [RFC4244] [RFC4132] [RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC4347] [RFC4244] [RFC4132]
[RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC3489] [RFC3316] [RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC3489] [RFC3316]
In the case of [RFC4642], that has already been updated by [RFC8143] In the case of [RFC4642], that has already been updated by [RFC8143]
which makes an overlapping, but not quite the same, update as this which makes an overlapping, but not quite the same, update as this
document. document.
skipping to change at page 4, line 43 skipping to change at page 4, line 46
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Support for Deprecation 2. Support for Deprecation
Industry has actively followed guidance provided by NIST and the PCI
Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2
should remain a minimum baseline for TLS support at this time.
Specific details on attacks against TLSv1.0 and TLSv1.1 as well as Specific details on attacks against TLSv1.0 and TLSv1.1 as well as
their mitigations are provided in NIST SP800-52r2 [NIST800-52r2], RFC their mitigations are provided in NIST SP800-52r2 [NIST800-52r2], RFC
7457 [RFC7457] and other referenced RFCs. Although the attacks have 7457 [RFC7457] and other referenced RFCs. Although the attacks have
been mitigated, if support is dropped for future library releases for been mitigated, if support is dropped for future library releases for
these versions, it is unlikely attacks found going forward will be these versions, it is unlikely attacks found going forward will be
mitigated in older library releases. mitigated in older library releases.
NIST for example have provided the following rationale, copied with NIST for example have provided the following rationale, copied with
permission from NIST SP800-52r2 [NIST800-52r2], section 1.2 "History permission from NIST SP800-52r2 [NIST800-52r2], section 1.2 "History
of TLS" (with references changed for RFC formatting). of TLS" (with references changed for RFC formatting).
skipping to change at page 5, line 41 skipping to change at page 5, line 41
TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant TLS 1.3, specified in TLSv1.3 [RFC8446], represents a significant
change to TLS that aims to address threats that have arisen over change to TLS that aims to address threats that have arisen over
the years. Among the changes are a new handshake protocol, a new the years. Among the changes are a new handshake protocol, a new
key derivation process that uses the HMAC-based Extract-and-Expand key derivation process that uses the HMAC-based Extract-and-Expand
Key Derivation Function (HKDF), and the removal of cipher suites Key Derivation Function (HKDF), and the removal of cipher suites
that use static RSA or DH key exchanges, the CBC mode of that use static RSA or DH key exchanges, the CBC mode of
operation, or SHA-1. The list of extensions that can be used with operation, or SHA-1. The list of extensions that can be used with
TLS 1.3 has been reduced considerably. TLS 1.3 has been reduced considerably.
The Canadian government treasury board have also mandated that these The German Federal Office for Information Security, recommends
old versions of TLS not be used. [Canada] against use of TLS versions less than 1.2 in the publication
Cryptographic Mechanisms: Recommendations and Key Lengths
Various companies and web sites have announced plans to deprecate [TR-02102-2].
these old versions of TLS.
3. SHA-1 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1
The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1 The integrity of both TLSv1.0 and TLSv1.1 depends on a running SHA-1
hash of the exchanged messages. This makes it possible to perform a hash of the exchanged messages. This makes it possible to perform a
downgrade attack on the handshake by an attacker able to perform 2^77 downgrade attack on the handshake by an attacker able to perform 2^77
operations, well below the acceptable modern security margin. operations, well below the acceptable modern security margin.
Similarly, the authentication of the handshake depends on signatures Similarly, the authentication of the handshake depends on signatures
made using SHA-1 hash or a not stronger concatenation of MD-5 and made using SHA-1 hash or a not stronger concatenation of MD-5 and
SHA-1 hashes, allowing the attacker to impersonate a server when it SHA-1 hashes, allowing the attacker to impersonate a server when it
is able to break the severely weakened SHA-1 hash. is able to break the severely weakened SHA-1 hash.
skipping to change at page 7, line 22 skipping to change at page 7, line 22
layer version number (TLSPlaintext.version) could contain when layer version number (TLSPlaintext.version) could contain when
sending ClientHello. Appendix E of [RFC5246] notes that sending ClientHello. Appendix E of [RFC5246] notes that
TLSPlaintext.version could be selected to maximize interoperability, TLSPlaintext.version could be selected to maximize interoperability,
though no definitive value is identified as ideal. That guidance is though no definitive value is identified as ideal. That guidance is
still applicable; therefore, TLS servers MUST accept any value still applicable; therefore, TLS servers MUST accept any value
{03,XX} (including {03,00}) as the record layer version number for {03,XX} (including {03,00}) as the record layer version number for
ClientHello, but they MUST NOT negotiate TLSv1.1. ClientHello, but they MUST NOT negotiate TLSv1.1.
6. Updates to RFC7525 6. Updates to RFC7525
RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security (DTLS)", is the
most recent best practice document for implementing TLS and was based
on TLSv1.2. At the time of publication, TLSv1.0 and TLSv1.1 had not
yet been deprecated. As such, this document is called out
specifically to update text implementing the deprecation
recommendations of this document.
This documents updates [RFC7525] Section 3.1.1 changing SHOULD NOT to This documents updates [RFC7525] Section 3.1.1 changing SHOULD NOT to
MUST NOT as follows: MUST NOT as follows:
o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246]. o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246].
Rationale: TLSv1.0 (published in 1999) does not support many Rationale: TLSv1.0 (published in 1999) does not support many
modern, strong cipher suites. In addition, TLSv1.0 lacks a per- modern, strong cipher suites. In addition, TLSv1.0 lacks a per-
record Initialization Vector (IV) for CBC-based cipher suites and record Initialization Vector (IV) for CBC-based cipher suites and
does not warn against common padding errors. does not warn against common padding errors.
skipping to change at page 8, line 9 skipping to change at page 8, line 16
This document deprecates two older protocol versions for security This document deprecates two older protocol versions for security
reasons already described. The attack surface is reduced when there reasons already described. The attack surface is reduced when there
are a smaller number of supported protocols and fallback options are are a smaller number of supported protocols and fallback options are
removed. removed.
8. Acknowledgements 8. Acknowledgements
Thanks to those that provided usage data, reviewed and/or improved Thanks to those that provided usage data, reviewed and/or improved
this document, including: David Benjamin, David Black, Viktor this document, including: David Benjamin, David Black, Viktor
Dukhovni, Julien Elie, Alessandro Ghedini, Jeremy Harris, Russ Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini, Jeremy
Housley, Hubert Kario, John Mattsson, Eric Mill, Yoav Nir, Andrei Harris, Russ Housley, Hubert Kario, John Mattsson, Eric Mill, Yoav
Popov, Eric Rescorla, Yaron Sheffer, Robert Sparks, Loganaden Nir, Andrei Popov, Eric Rescorla, Yaron Sheffer, Robert Sparks,
Velvindron, https://github.com/yaleman, and Jakub Wilk. Martin Thomson, Loganaden Velvindron, https://github.com/yaleman, and
Jakub Wilk.
[[Note to RFC editor: At least Julien Elie's name above should have [[Note to RFC editor: At least Julien Elie's name above should have
an accent on the first letter of the surname. Please fix that and an accent on the first letter of the surname. Please fix that and
any others needing a similar fix if you can, I'm not sure the tooling any others needing a similar fix if you can, I'm not sure the tooling
I have now allows that.]] I have now allows that.]]
9. IANA Considerations 9. IANA Considerations
[[This memo includes no request to IANA.]] [[This memo includes no request to IANA.]]
skipping to change at page 21, line 5 skipping to change at page 20, line 36
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS
and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018,
<https://www.rfc-editor.org/info/rfc8447>. <https://www.rfc-editor.org/info/rfc8447>.
[TGPP33310] [TGPP33310]
3GPP, "TS 33.310 - Network Domain Security (NDS); 3GPP, "TS 33.310 - Network Domain Security (NDS);
Authentication Framework (AF)", 2016. Authentication Framework (AF)", 2016.
[TR-02102-2]
The German Federal Office for Information Security https:/
/www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/
TechGuidelines/TG02102/BSI-TR-02102-2.pdf, "Technical
Guideline TR-02102-2 Cryptographic Mechanisms:
Recommendations and Key Lengths", 2019.
Appendix A. Change Log Appendix A. Change Log
[[RFC editor: please remove this before publication.]] [[RFC editor: please remove this before publication.]]
From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls- From draft-ietf-tls-oldversions-deprecate-02 to draft-ietf-tls-
oldversions-deprecate-03: oldversions-deprecate-03:
o Added 8261 to updates list based on IETF-104 meeting. o Added 8261 to updates list based on IETF-104 meeting.
From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls- From draft-ietf-tls-oldversions-deprecate-01 to draft-ietf-tls-
 End of changes. 13 change blocks. 
34 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/