draft-ietf-tls-oldversions-deprecate-11.txt   draft-ietf-tls-oldversions-deprecate-12.txt 
Internet Engineering Task Force K. Moriarty Internet Engineering Task Force K. Moriarty
Internet-Draft Dell EMC Internet-Draft Dell EMC
Obsoletes: 5469 7507 (if approved) S. Farrell Obsoletes: 5469 7507 (if approved) S. Farrell
Updates: 8422 8261 7568 7562 7525 7465 Trinity College Dublin Updates: 8422 8261 7568 7562 7525 7465 Trinity College Dublin
7030 6750 6749 6739 6460 6614 December 15, 2020 7030 6750 6749 6739 6460 6614 January 21, 2021
6367 6353 6347 6176 6084 6083 6367 6353 6347 6176 6084 6083
6042 6012 5953 5878 5734 5456 6042 6012 5953 5878 5734 5456
5422 5415 5364 5281 5263 5238 5422 5415 5364 5281 5263 5238
5216 5158 5091 5054 5049 5024 5216 5158 5091 5054 5049 5024
5023 5019 5018 4992 4976 4975 5023 5019 5018 4992 4976 4975
4964 4851 4823 4791 4785 4744 4964 4851 4823 4791 4785 4744
4743 4732 4712 4681 4680 4642 4743 4732 4712 4681 4680 4642
4616 4582 4540 4531 4513 4497 4616 4582 4540 4531 4513 4497
4279 4261 4235 4217 4168 4162 4279 4261 4235 4217 4168 4162
4111 4097 3983 3943 3903 3887 4111 4097 3983 3943 3903 3887
3871 3856 3767 3749 3656 3568 3871 3856 3767 3749 3656 3568
3552 3501 3470 3436 3329 3261 3552 3501 3470 3436 3329 3261
(if approved) (if approved)
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: June 18, 2021 Expires: July 25, 2021
Deprecating TLSv1.0 and TLSv1.1 Deprecating TLSv1.0 and TLSv1.1
draft-ietf-tls-oldversions-deprecate-11 draft-ietf-tls-oldversions-deprecate-12
Abstract Abstract
This document, if approved, formally deprecates Transport Layer This document, if approved, formally deprecates Transport Layer
Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346).
Accordingly, those documents (will be moved|have been moved) to Accordingly, those documents (will be moved|have been moved) to
Historic status. These versions lack support for current and Historic status. These versions lack support for current and
recommended cryptographic algorithms and mechanisms, and various recommended cryptographic algorithms and mechanisms, and various
government and industry profiles of applications using TLS now government and industry profiles of applications using TLS now
mandate avoiding these old TLS versions. TLSv1.2 has been the mandate avoiding these old TLS versions. TLSv1.2 became the
recommended version for IETF protocols since 2008, providing recommended version for IETF protocols in 2008, (subsequently being
sufficient time to transition away from older versions. Removing obsoleted by TLSv1.3 in 2018), providing sufficient time to
support for older versions from implementations reduces the attack transition away from older versions. Removing support for older
surface, reduces opportunity for misconfiguration, and streamlines versions from implementations reduces the attack surface, reduces
library and product maintenance. opportunity for misconfiguration, and streamlines library and product
maintenance.
This document also deprecates Datagram TLS (DTLS) version 1.0 This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC
(RFC4347), but not DTLS version 1.2, and there is no DTLS version 4347), but not DTLS version 1.2, and there is no DTLS version 1.1.
1.1.
This document updates many RFCs that normatively refer to TLSv1.0 or This document updates many RFCs that normatively refer to TLSv1.0 or
TLSv1.1 as described herein. This document also updates the best TLSv1.1 as described herein. This document also updates the best
practices for TLS usage in RFC 7525 and hence is part of BCP195. practices for TLS usage in RFC 7525 and hence is part of BCP 195.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 18, 2021. This Internet-Draft will expire on July 25, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 46 skipping to change at page 2, line 46
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3 1.1. RFCs Updated . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 5 2. Support for Deprecation . . . . . . . . . . . . . . . . . . . 5
3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 6 3. SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 . . . . . . . 6
4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6 4. Do Not Use TLSv1.0 . . . . . . . . . . . . . . . . . . . . . 6
5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 7 5. Do Not Use TLSv1.1 . . . . . . . . . . . . . . . . . . . . . 7
6. Updates to RFC7525 . . . . . . . . . . . . . . . . . . . . . 8 6. Updates to RFC 7525 . . . . . . . . . . . . . . . . . . . . . 8
7. Operational Considerations . . . . . . . . . . . . . . . . . 8 7. Operational Considerations . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
11.1. Normative References . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . 9
11.2. Informative References . . . . . . . . . . . . . . . . . 18 11.2. Informative References . . . . . . . . . . . . . . . . . 18
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 22 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1
[RFC4346] were superseded by TLSv1.2 [RFC5246] in 2008, which has now [RFC4346] were superseded by TLSv1.2 [RFC5246] in 2008, which has now
itself been superseded by TLSv1.3 [RFC8446]. Datagram Transport itself been superseded by TLSv1.3 [RFC8446]. Datagram Transport
Layer Security (DTLS) version 1.0 [RFC4347] was superseded by Layer Security (DTLS) version 1.0 [RFC4347] was superseded by
DTLSv1.2 [RFC6347] in 2012. It is therefore timely to further DTLSv1.2 [RFC6347] in 2012. It is therefore timely to further
deprecate these old versions. Accordingly, those documents (will be deprecate TLSv1.0, TLSv1.1 and DTLSv1.0. Accordingly, those
moved|have been moved) to Historic status. documents (will be moved|have been moved) to Historic status.
Technical reasons for deprecating these versions include: Technical reasons for deprecating these versions include:
o They require implementation of older cipher suites that are no o They require implementation of older cipher suites that are no
longer desirable for cryptographic reasons, e.g., TLSv1.0 makes longer desirable for cryptographic reasons, e.g., TLSv1.0 makes
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement
o Lack of support for current recommended cipher suites, especially o Lack of support for current recommended cipher suites, especially
AEAD ciphers which are not supported prior to TLSv1.2. Note: AEAD ciphers which are not supported prior to TLSv1.2. Note:
registry entries for no-longer-desirable ciphersuites remain in registry entries for no-longer-desirable ciphersuites remain in
the registries, but many TLS registries are being updated through the registries, but many TLS registries are being updated through
skipping to change at page 3, line 49 skipping to change at page 3, line 49
additional justification to no longer support older (D)TLS versions additional justification to no longer support older (D)TLS versions
and to migrate to a minimum of (D)TLSv1.2. Deprecation also assists and to migrate to a minimum of (D)TLSv1.2. Deprecation also assists
product teams with phasing out support for the older versions, to product teams with phasing out support for the older versions, to
reduce the attack surface and the scope of maintenance for protocols reduce the attack surface and the scope of maintenance for protocols
in their offerings. in their offerings.
1.1. RFCs Updated 1.1. RFCs Updated
This document updates the following RFCs that normatively reference This document updates the following RFCs that normatively reference
TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of
these older versions. Fallback to these versions are prohibited these older versions. Fallback to these versions is prohibited
through this update. Specific references to mandatory minimum through this update. Specific references to mandatory minimum
protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and protocol versions of TLSv1.0 or TLSv1.1 are replaced by TLSv1.2, and
references to minimum protocol version DTLSv1.0 are replaced by references to minimum protocol version DTLSv1.0 are replaced by
DTLSv1.2. Statements that "TLSv1.0 is the most widely deployed DTLSv1.2. Statements that "TLSv1.0 is the most widely deployed
version and will provide the broadest interoperability" are removed version and will provide the broadest interoperability" are removed
without replacement. without replacement.
[RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465] [RFC7030] [RFC8422] [RFC8261] [RFC7568] [RFC7562] [RFC7525] [RFC7465] [RFC7030]
[RFC6750] [RFC6749] [RFC6739] [RFC6084] [RFC6083] [RFC6367] [RFC6353] [RFC6750] [RFC6749] [RFC6739] [RFC6084] [RFC6083] [RFC6367] [RFC6353]
[RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5456] [RFC5422] [RFC6176] [RFC6042] [RFC6012] [RFC5878] [RFC5734] [RFC5456] [RFC5422]
skipping to change at page 5, line 42 skipping to change at page 5, line 42
and other RFCs referenced therein. Although mitigations for the and other RFCs referenced therein. Although mitigations for the
current known vulnerabilities have been developed, any future issues current known vulnerabilities have been developed, any future issues
discovered in old protocol versions might not be mitigated in older discovered in old protocol versions might not be mitigated in older
library versions when newer library versions do not support those old library versions when newer library versions do not support those old
protocols. protocols.
NIST for example has provided the following rationale, copied with NIST for example has provided the following rationale, copied with
permission from [NIST800-52r2], section 1.2 "History of TLS" (with permission from [NIST800-52r2], section 1.2 "History of TLS" (with
references changed for RFC formatting). references changed for RFC formatting).
TLSv1.1, specified in [RFC4346], was developed to address TLS 1.1, specified in [RFC4346], was developed to address
weaknesses discovered in TLSv1.0, primarily in the areas of weaknesses discovered in TLS 1.0, primarily in the areas of
initialization vector selection and padding error processing. initialization vector selection and padding error processing.
Initialization vectors were made explicit to prevent a certain Initialization vectors were made explicit to prevent a certain
class of attacks on the Cipher Block Chaining (CBC) mode of class of attacks on the Cipher Block Chaining (CBC) mode of
operation used by TLS. The handling of padding errors was altered operation used by TLS. The handling of padding errors was altered
to treat a padding error as a bad message authentication code, to treat a padding error as a bad message authentication code,
rather than a decryption failure. In addition, the TLSv1.1 RFC rather than a decryption failure. In addition, the TLS 1.1 RFC
acknowledges attacks on CBC mode that rely on the time to compute acknowledges attacks on CBC mode that rely on the time to compute
the message authentication code (MAC). The TLSv1.1 specification the message authentication code (MAC). The TLS 1.1 specification
states that to defend against such attacks, an implementation must states that to defend against such attacks, an implementation must
process records in the same manner regardless of whether padding process records in the same manner regardless of whether padding
errors exist. Further implementation considerations for CBC modes errors exist. Further implementation considerations for CBC modes
(which were not included in RFC4346 [RFC4346]) are discussed in (which were not included in RFC4346 [RFC4346]) are discussed in
Section 3.3.2. Section 3.3.2.
TLSv1.2, specified in RFC5246 [RFC5246], made several TLSv1.2, specified in RFC5246 [RFC5246], made several
cryptographic enhancements, particularly in the area of hash cryptographic enhancements, particularly in the area of hash
functions, with the ability to use or specify the SHA-2 family functions, with the ability to use or specify the SHA-2 family
algorithms for hash, MAC, and Pseudorandom Function (PRF) algorithms for hash, MAC, and Pseudorandom Function (PRF)
skipping to change at page 8, line 5 skipping to change at page 8, line 5
Historically, TLS specifications were not clear on what the record Historically, TLS specifications were not clear on what the record
layer version number (TLSPlaintext.version) could contain when layer version number (TLSPlaintext.version) could contain when
sending ClientHello. Appendix E of [RFC5246] notes that sending ClientHello. Appendix E of [RFC5246] notes that
TLSPlaintext.version could be selected to maximize interoperability, TLSPlaintext.version could be selected to maximize interoperability,
though no definitive value is identified as ideal. That guidance is though no definitive value is identified as ideal. That guidance is
still applicable; therefore, TLS servers MUST accept any value still applicable; therefore, TLS servers MUST accept any value
{03,XX} (including {03,00}) as the record layer version number for {03,XX} (including {03,00}) as the record layer version number for
ClientHello, but they MUST NOT negotiate TLSv1.1. ClientHello, but they MUST NOT negotiate TLSv1.1.
6. Updates to RFC7525 6. Updates to RFC 7525
RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer RFC7525 is BCP 195, "Recommendations for Secure Use of Transport
Security (TLS) and Datagram Transport Layer Security (DTLS)", which Layer Security (TLS) and Datagram Transport Layer Security (DTLS)",
is the most recent best practice document for implementing TLS and which is the most recent best practice document for implementing TLS
was based on TLSv1.2. At the time of publication, TLSv1.0 and and was based on TLSv1.2. At the time of publication, TLSv1.0 and
TLSv1.1 had not yet been deprecated. As such, BCP195 is called out TLSv1.1 had not yet been deprecated. As such, BCP 195 is called out
specifically to update text implementing the deprecation specifically to update text implementing the deprecation
recommendations of this document. recommendations of this document.
This documents updates [RFC7525] Section 3.1.1 changing SHOULD NOT to This document updates [RFC7525] Section 3.1.1 changing SHOULD NOT to
MUST NOT as follows: MUST NOT as follows:
o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246]. o Implementations MUST NOT negotiate TLS version 1.0 [RFC2246].
Rationale: TLSv1.0 (published in 1999) does not support many Rationale: TLSv1.0 (published in 1999) does not support many
modern, strong cipher suites. In addition, TLSv1.0 lacks a per- modern, strong cipher suites. In addition, TLSv1.0 lacks a per-
record Initialization Vector (IV) for CBC-based cipher suites and record Initialization Vector (IV) for CBC-based cipher suites and
does not warn against common padding errors. does not warn against common padding errors.
o Implementations MUST NOT negotiate TLS version 1.1 [RFC4346]. o Implementations MUST NOT negotiate TLS version 1.1 [RFC4346].
skipping to change at page 22, line 9 skipping to change at page 22, line 9
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS
and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018,
<https://www.rfc-editor.org/info/rfc8447>. <https://www.rfc-editor.org/info/rfc8447>.
Appendix A. Change Log Appendix A. Change Log
[[RFC editor: please remove this before publication.]] [[RFC editor: please remove this before publication.]]
From draft-ietf-tls-oldversions-deprecate-11 to draft-ietf-tls-
oldversions-deprecate-12 (IESG review):
o Minor edits from IESG review comments.
From draft-ietf-tls-oldversions-deprecate-10 to draft-ietf-tls- From draft-ietf-tls-oldversions-deprecate-10 to draft-ietf-tls-
oldversions-deprecate-11: oldversions-deprecate-11:
o RFC 5953 was mentioned in the wrong para of section 1.1 - it has o RFC 5953 was mentioned in the wrong para of section 1.1 - it has
been obsoleted already. been obsoleted already.
From draft-ietf-tls-oldversions-deprecate-09 to draft-ietf-tls- From draft-ietf-tls-oldversions-deprecate-09 to draft-ietf-tls-
oldversions-deprecate-10: oldversions-deprecate-10:
o We missed adding change logs for a few versions, but since -09 was o We missed adding change logs for a few versions, but since -09 was
 End of changes. 19 change blocks. 
31 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/