Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)

Thu, 23 Jul 2015 10:11:36 -0700 


It is Windows Server 2003 SMTP service that has this problem.
There is a hotfix for it.
I had been asking for these fixes to be pushed out and the KB article corrected 
before Windows Server 2003 ended support.

> Date: Thu, 23 Jul 2015 16:00:34 +0000
> From: ietf-d...@dukhovni.org
> To: tls@ietf.org
> Subject: Re: [TLS] ban more old crap (was: A la carte concerns from IETF 93)
> 
> On Thu, Jul 23, 2015 at 11:43:45AM -0400, Dave Garrett wrote:
> 
>> Right now, the restrictions section prohibits:
>> RC4, SSL2/3, & EXPORT/NULL entirely (via min bits)
>> and has "SHOULD" use TLS 1.3+ compatible with TLS 1.2, if available
> 
> So much for using NULL ciphers for client-server authentication on
> loopback interfaces. :-(
> 
> Surely, in at least some cases, making it harder to make mistakes
> needs to be addressed in toolkit and application interfaces, not
> the protocol. Removing weak algorithms that serve the same use-cases
> poorly is fine, but removing non-traditional use-cases is perhaps
> too drastic.
> 
>> Plus, "MUST" use DHE or ECDHE for ALL connections, even back to TLS 1.0,
>> or abort with a fatal error.
> 
> Who's going to police the Internet to remove all the legacy services?
> 
>> By the way, even IE6 on XP supports DHE.
> 
> But not Exchange server 2003, and various Windows-based email gateway
> appliances.
> 
>> If we actually have to care about IE on
>> XP, we could state an exception that the only non-PFS cipher suite to be
>> permitted on servers for backwards compatibility is
>> TLS_RSA_WITH_3DES_EDE_CBC_SHA.
> 
> Exchange 2003 has a broken 3DES implementation. The only working
> ciphersuites are RC4-SHA/RC4-MD5.
> 
> And there are surely plenty of legacy system that are neither HTTPS
> or email. It sure sounds like the radical surgery is largely for
> HTTPS, and should be implemented in web servers and clients, not
> the TLS protocol.
> 
> -- 
> Viktor.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

                                          
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to