draft-ietf-tls-oldversions-deprecate-07.txt   draft-ietf-tls-oldversions-deprecate-08.txt 
Internet Engineering Task Force K. Moriarty Internet Engineering Task Force K. Moriarty
Internet-Draft Dell EMC Internet-Draft Dell EMC
Obsoletes: 7507 (if approved) S. Farrell Obsoletes: 7507 (if approved) S. Farrell
Updates: 8465 8422 8261 7568 7562 7525 Trinity College Dublin Updates: 8465 8422 8261 7568 7562 7525 Trinity College Dublin
7465 7030 6750 6749 6739 6614 October 9, 2020 7465 7030 6750 6749 6739 6460 October 14, 2020
6460 6084 6083 6367 6347 6176 6614 6367 6347 6176 6084 6083
6042 6012 5878 5734 5469 5456 6042 6012 5878 5734 5469 5456
5422 5415 5364 5281 5263 5238 5422 5415 5364 5281 5263 5238
5216 5158 5091 5054 5049 5024 5216 5158 5091 5054 5049 5024
5023 5019 5018 4992 4976 4975 5023 5019 5018 4992 4976 4975
4964 4851 4823 4791 4785 4744 4964 4851 4823 4791 4785 4744
4743 4732 4712 4681 4680 4642 4743 4732 4712 4681 4680 4642
4616 4582 4540 4531 4513 4497 4616 4582 4540 4531 4513 4497
4279 4261 4235 4217 4168 4162 4279 4261 4235 4217 4168 4162
4111 4097 3983 3943 3903 3887 4111 4097 3983 3943 3903 3887
3871 3856 3767 3749 3656 3568 3871 3856 3767 3749 3656 3568
3552 3501 3470 3436 3329 3261 3552 3501 3470 3436 3329 3261
(if approved) (if approved)
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: April 12, 2021 Expires: April 17, 2021
Deprecating TLSv1.0 and TLSv1.1 Deprecating TLSv1.0 and TLSv1.1
draft-ietf-tls-oldversions-deprecate-07 draft-ietf-tls-oldversions-deprecate-08
Abstract Abstract
This document, if approved, formally deprecates Transport Layer This document, if approved, formally deprecates Transport Layer
Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346).
Accordingly, those documents (will be moved|have been moved) to Accordingly, those documents (will be moved|have been moved) to
Historic status. These versions lack support for current and Historic status. These versions lack support for current and
recommended cryptographic algorithms and mechanisms, and various recommended cryptographic algorithms and mechanisms, and various
government and industry profiles of applications using TLS now government and industry profiles of applications using TLS now
mandate avoiding these old TLS versions. TLSv1.2 has been the mandate avoiding these old TLS versions. TLSv1.2 has been the
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 12, 2021. This Internet-Draft will expire on April 17, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 4 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 5
3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 5 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 6
4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6
5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 6 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 7
6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7 6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 17 10.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1
[RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now [RFC4346] were superceded by TLSv1.2 [RFC5246] in 2008, which has now
itself been superceded by TLSv1.3 [RFC8446]. Datagram Transport itself been superceded by TLSv1.3 [RFC8446]. Datagram Transport
skipping to change at page 4, line 8 skipping to change at page 4, line 8
TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of
these older versions. Fallback to these versions are prohibited these older versions. Fallback to these versions are prohibited
through this update. Specific references to mandatory minimum through this update. Specific references to mandatory minimum
protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and
references to minimum protocol version DTLSv1.0 are replaced by references to minimum protocol version DTLSv1.0 are replaced by
DTLSv1.2. Statements that "TLS 1.0 is the most widely deployed DTLSv1.2. Statements that "TLS 1.0 is the most widely deployed
version and will provide the broadest interoperability" are removed version and will provide the broadest interoperability" are removed
without replacement. without replacement.
[RFC8465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465] [RFC8465] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465]
[RFC7030] [RFC6750] [RFC6749] [RFC6739] [RFC6460] [RFC6084] [RFC6083] [RFC7030] [RFC6750] [RFC6749] [RFC6739] [RFC6084] [RFC6083] [RFC6367]
[RFC6367] [RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469] [RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5469] [RFC5456]
[RFC5456] [RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5422] [RFC5415] [RFC5364] [RFC5281] [RFC5263] [RFC5238] [RFC5216]
[RFC5216] [RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5158] [RFC5091] [RFC5054] [RFC5049] [RFC5024] [RFC5023] [RFC5019]
[RFC5019] [RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC5018] [RFC4992] [RFC4976] [RFC4975] [RFC4964] [RFC4851] [RFC4823]
[RFC4823] [RFC4791] [RFC4785] [RFC4744] [RFC4743] [RFC4732] [RFC4712] [RFC4791] [RFC4785] [RFC4732] [RFC4712] [RFC4681] [RFC4680] [RFC4642]
[RFC4681] [RFC4680] [RFC4642] [RFC4616] [RFC4582] [RFC4540] [RFC4531] [RFC4616] [RFC4582] [RFC4540] [RFC4531] [RFC4513] [RFC4497] [RFC4279]
[RFC4513] [RFC4497] [RFC4279] [RFC4261] [RFC4235] [RFC4217] [RFC4168] [RFC4261] [RFC4235] [RFC4217] [RFC4168] [RFC4162] [RFC4111] [RFC4097]
[RFC4162] [RFC4111] [RFC4097] [RFC3983] [RFC3943] [RFC3903] [RFC3887] [RFC3983] [RFC3943] [RFC3903] [RFC3887] [RFC3871] [RFC3856] [RFC3767]
[RFC3871] [RFC3856] [RFC3767] [RFC3749] [RFC3656] [RFC3568] [RFC3552] [RFC3749] [RFC3656] [RFC3568] [RFC3552] [RFC3501] [RFC3470] [RFC3436]
[RFC3501] [RFC3470] [RFC3436] [RFC3329] [RFC3261] [RFC3329] [RFC3261]
The status of [RFC7562], [RFC6042], [RFC5456], [RFC5024], [RFC4540],
and [RFC3656] will be updated with permission of the Independent
Stream Editor.
In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and In addition these RFCs normatively refer to TLSv1.0 or TLSv1.1 and
have already been obsoleted; they are still listed here and marked as have already been obsoleted; they are still listed here and marked as
updated by this document in order to reiterate that any usage of the updated by this document in order to reiterate that any usage of the
obsolete protocol should still use modern TLS: [RFC7507] [RFC5101] obsolete protocol should still use modern TLS: [RFC7507] [RFC5101]
[RFC5081] [RFC5077] [RFC4934] [RFC4572] [RFC4507] [RFC4492] [RFC4366] [RFC5081] [RFC5077] [RFC4934] [RFC4572] [RFC4507] [RFC4492] [RFC4366]
[RFC4347] [RFC4244] [RFC4132] [RFC3920] [RFC3734] [RFC3588] [RFC3546] [RFC4347] [RFC4244] [RFC4132] [RFC3920] [RFC3734] [RFC3588] [RFC3546]
[RFC3489] [RFC3316] [RFC3489] [RFC3316]
Note that [RFC4642] has already been updated by [RFC8143] ,which Note that [RFC4642] has already been updated by [RFC8143], which
makes an overlapping, but not quite identical, update as this makes an overlapping, but not quite identical, update as this
document. document.
[RFC6614] has a requirement for TLSv1.1 or later, although only makes [RFC6614] has a requirement for TLSv1.1 or later, although only makes
an informative reference to [RFC4346]. This requirement is updated an informative reference to [RFC4346]. This requirement is updated
to be for TLSv1.2 or later. to be for TLSv1.2 or later.
[RFC6460], [RFC4744], and [RFC4743] are already Historic; they are
still listed here and marked as updated by this document in order to
reiterate that any usage of the obsolete protocol should still use
modern TLS.
This document updates DTLS [RFC6347]. [RFC6347] had allowed for This document updates DTLS [RFC6347]. [RFC6347] had allowed for
negotiating the use of DTLSv1.0, which is now forbidden. negotiating the use of DTLSv1.0, which is now forbidden.
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Support for Deprecation 2. Support for Deprecation
Specific details on attacks against TLSv1.0 and TLSv1.1, as well as Specific details on attacks against TLSv1.0 and TLSv1.1, as well as
their mitigations, are provided in NIST SP800-52r2 [NIST800-52r2], their mitigations, are provided in [NIST800-52r2], RFC 7457 [RFC7457]
RFC 7457 [RFC7457] and other RFCs referenced therein. Although and other RFCs referenced therein. Although mitigations for the
mitigations for the current known vulnerabilities have been current known vulnerabilities have been developed, any future issues
developed, any future issues discovered in old protocol versions discovered in old protocol versions might not be mitigated in older
might not be mitigated in older library versions when newer library library versions when newer library versions do not support those old
versions do not support those old protocols. protocols.
NIST for example have provided the following rationale, copied with NIST for example have provided the following rationale, copied with
permission from NIST SP800-52r2 [NIST800-52r2], section 1.2 "History permission from [NIST800-52r2], section 1.2 "History of TLS" (with
of TLS" (with references changed for RFC formatting). references changed for RFC formatting).
TLS 1.1, specified in [RFC4346], was developed to address TLS 1.1, specified in [RFC4346], was developed to address
weaknesses discovered in TLS 1.0, primarily in the areas of weaknesses discovered in TLS 1.0, primarily in the areas of
initialization vector selection and padding error processing. initialization vector selection and padding error processing.
Initialization vectors were made explicit to prevent a certain Initialization vectors were made explicit to prevent a certain
class of attacks on the Cipher Block Chaining (CBC) mode of class of attacks on the Cipher Block Chaining (CBC) mode of
operation used by TLS. The handling of padding errors was altered operation used by TLS. The handling of padding errors was altered
to treat a padding error as a bad message authentication code, to treat a padding error as a bad message authentication code,
rather than a decryption failure. In addition, the TLS 1.1 RFC rather than a decryption failure. In addition, the TLS 1.1 RFC
acknowledges attacks on CBC mode that rely on the time to compute acknowledges attacks on CBC mode that rely on the time to compute
skipping to change at page 8, line 19 skipping to change at page 8, line 33
This document deprecates two older TLS protocol versions and one This document deprecates two older TLS protocol versions and one
older DTLS protocol version for security reasons already described. older DTLS protocol version for security reasons already described.
The attack surface is reduced when there are a smaller number of The attack surface is reduced when there are a smaller number of
supported protocols and fallback options are removed. supported protocols and fallback options are removed.
8. Acknowledgements 8. Acknowledgements
Thanks to those that provided usage data, reviewed and/or improved Thanks to those that provided usage data, reviewed and/or improved
this document, including: David Benjamin, David Black, Alan DeKok, this document, including: David Benjamin, David Black, Alan DeKok,
Viktor Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini, Viktor Dukhovni, Julien Elie, Gary Gapinski, Alessandro Ghedini,
Jeremy Harris, James Hodgkinson, Russ Housley, Hubert Kario, John Jeremy Harris, James Hodgkinson, Russ Housley, Hubert Kario, Ben
Mattsson, Eric Mill, Yoav Nir, Andrei Popov, Eric Rescorla, Yaron Kaduk, John Mattsson, Eric Mill, Yoav Nir, Andrei Popov, Eric
Sheffer, Robert Sparks, Martin Thomson, Loganaden Velvindron, and Rescorla, Yaron Sheffer, Robert Sparks, Martin Thomson, Loganaden
Jakub Wilk. Velvindron, and Jakub Wilk.
[[Note to RFC editor: At least Julien Elie's name above should have [[Note to RFC editor: At least Julien Elie's name above should have
an accent on the first letter of the surname. Please fix that and an accent on the first letter of the surname. Please fix that and
any others needing a similar fix if you can, I'm not sure the tooling any others needing a similar fix if you can, I'm not sure the tooling
I have now allows that.]] I have now allows that.]]
9. IANA Considerations 9. IANA Considerations
[[This memo includes no request to IANA.]] [[This memo includes no request to IANA.]]
skipping to change at page 17, line 15 skipping to change at page 17, line 35
10.2. Informative References 10.2. Informative References
[Bhargavan2016] [Bhargavan2016]
Bhargavan, K. and G. Leuren, "Transcript Collision Bhargavan, K. and G. Leuren, "Transcript Collision
Attacks: Breaking Authentication in TLS, IKE, and SSH Attacks: Breaking Authentication in TLS, IKE, and SSH
https://www.mitls.org/downloads/transcript- https://www.mitls.org/downloads/transcript-
collisions.pdf", 2016. collisions.pdf", 2016.
[NIST800-52r2] [NIST800-52r2]
National Institute of Standards and Technology, "NIST National Institute of Standards and Technology, "NIST
SP800-52r2 https://csrc.nist.gov/CSRC/media/Publications/ SP800-52r2
sp/800-52/rev-2/draft/documents/sp800-52r2-draft.pdf", https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
2018. NIST.SP.800-52r2.pdf", August 2019.
[RFC3316] Arkko, J., Kuijpers, G., Soliman, H., Loughney, J., and J. [RFC3316] Arkko, J., Kuijpers, G., Soliman, H., Loughney, J., and J.
Wiljakka, "Internet Protocol Version 6 (IPv6) for Some Wiljakka, "Internet Protocol Version 6 (IPv6) for Some
Second and Third Generation Cellular Hosts", RFC 3316, Second and Third Generation Cellular Hosts", RFC 3316,
DOI 10.17487/RFC3316, April 2003, DOI 10.17487/RFC3316, April 2003,
<https://www.rfc-editor.org/info/rfc3316>. <https://www.rfc-editor.org/info/rfc3316>.
[RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
"STUN - Simple Traversal of User Datagram Protocol (UDP) "STUN - Simple Traversal of User Datagram Protocol (UDP)
Through Network Address Translators (NATs)", RFC 3489, Through Network Address Translators (NATs)", RFC 3489,
 End of changes. 14 change blocks. 
37 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/