On Thursday, July 23, 2015 07:09:49 am Hubert Kario wrote: > vast swaths of web servers are misconfigured; introducing a more complex > mechanism to server configuration when the existing situation is > incomprehensible to many administrators won't help (and even many people that > write the various blog posts about "how to configure SSL [sic] in httpd" > clearly haven't read openssl ciphers(1) man page)
We should just get more serious about banning old crap entirely to make dangerous misconfiguration impossible for TLS 1.3+ implementations. Right now, the restrictions section prohibits: RC4, SSL2/3, & EXPORT/NULL entirely (via min bits) and has "SHOULD" use TLS 1.3+ compatible with TLS 1.2, if available How about we stop being fuzzy? I'd like to make it "MUST" use AEAD with all TLS 1.2+ connections, or abort with a fatal error. Plus, "MUST" use DHE or ECDHE for ALL connections, even back to TLS 1.0, or abort with a fatal error. (the wrench in this is plain PSK, which should be restricted to resumption within a short window; IoT people who want to use intentionally weak security can write their own known weak spec) By the way, even IE6 on XP supports DHE. Windows XP, however, appears to be badly configured to only allow it with DSS, because missing combos from the cipher suite nonsense happen. If we actually have to care about IE on XP, we could state an exception that the only non-PFS cipher suite to be permitted on servers for backwards compatibility is TLS_RSA_WITH_3DES_EDE_CBC_SHA. Also add a requirement that all config provided by the admin must be validated to meet the TLS 1.3 requirements and auto-corrected if not, with a warning if there's an issue. This doesn't have to be a mess for admins to sort out. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
