idnits 2.17.1 

draft-ietf-tls-ssl2-must-not-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The draft header indicates that this document updates RFC4346, but the
     abstract doesn't seem to mention this, which it should.

  -- The draft header indicates that this document updates RFC5246, but the
     abstract doesn't seem to mention this, which it should.

  -- The draft header indicates that this document updates RFC2246, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

     (Using the creation date from RFC2246, updated by this document, for
     RFC5378 checks: 1996-12-03)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.) -- however,
     there's a paragraph with a matching beginning. Boilerplate error?

  -- The document date (November 29, 2010) is 4891 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------

1	Network Working Group                                         S. Turner
2	Internet Draft                                                     IECA
3	Updates: 5246, 4346, 2246 (once approved)                       T. Polk
4	Intended Status: Standards Track                                   NIST
5	Expires: May 29, 2011                                 November 29, 2010

7	                        Prohibiting SSL Version 2.0
8	                    draft-ietf-tls-ssl2-must-not-03.txt

10	Abstract

12	   This document requires that when TLS clients and servers establish
13	   connections that they never negotiate the use of Secure Sockets Layer
14	   (SSL) version 2.0.  This document updates the backward compatibility
15	   sections found in the Transport Security Layer (TLS).

17	Status of this Memo

19	   This Internet-Draft is submitted in full conformance with the
20	   provisions of BCP 78 and BCP 79.  This document may contain material
21	   from IETF Documents or IETF Contributions published or made publicly
22	   available before November 10, 2008.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF), its areas, and its working groups.  Note that
26	   other groups may also distribute working documents as Internet-
27	   Drafts.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   The list of current Internet-Drafts can be accessed at
35	   http://www.ietf.org/ietf/1id-abstracts.txt.

37	   The list of Internet-Draft Shadow Directories can be accessed at
38	   http://www.ietf.org/shadow.html.

40	   This Internet-Draft will expire on May 29, 2009.

42	Copyright Notice

44	   Copyright (c) 2010 IETF Trust and the persons identified as the
45	   document authors. All rights reserved.

47	   This document is subject to BCP 78 and the IETF Trust's Legal
48	   Provisions Relating to IETF Documents
49	   (http://trustee.ietf.org/license-info) in effect on the date of
50	   publication of this document. Please review these documents
51	   carefully, as they describe your rights and restrictions with respect
52	   to this document. Code Components extracted from this document must
53	   include Simplified BSD License text as described in Section 4.e of
54	   the Trust Legal Provisions and are provided without warranty as
55	   described in the Simplified BSD License.

57	1. Introduction

59	   Many protocols specified in the IETF rely on Transport Layer Security
60	   (TLS) [TLS1.0][TLS1.1][TLS1.2] for security services.  This is a good
61	   thing, but some TLS clients and servers also support negotiating the
62	   use of Secure Sockets Layer (SSL) version 2.0 [SSL2]; however, this
63	   version does not provide the expected level of security. SSL version
64	   2.0 has known deficiencies. This document describes those
65	   deficiencies, and it requires TLS clients and servers never negotiate
66	   the use of SSL version 2.0.

68	   This document updates the backward compatibility sections found in
69	   TLS [TLS1.0][TLS1.1][TLS1.2].

71	1.1. Requirements Terminology

73	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
74	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
75	   "OPTIONAL" in this document are to be interpreted as described in
76	   [RFC2119].

78	2. SSL 2.0 Deficiencies

80	   SSL version 2.0 [SSL2] deficiencies include:

82	   o Message authentication uses MD5 [MD5].  Most security-aware users
83	     have already moved away from any use of MD5
84	     [I-D.turner-md5-seccon-update].

86	   o Handshake messages are not protected.  This permits a man-in-the-
87	     middle to trick the client into picking a weaker cipher suite than
88	     they would normally choose.

90	   o Message integrity and message encryption use the same key, which is
91	     a problem if the client and server negotiate a weak encryption
92	     algorithm.

94	   o Sessions can be easily terminated.  A man-in-the-middle can easily
95	     insert a TCP FIN to close the session and the peer is unable to
96	     determine whether or not it was a legitimate end of the session.

98	3. Changes to TLS

100	   Because of the deficiencies noted in the previous section:

102	   o TLS clients MUST NOT negotiate or use SSL 2.0.

104	   o TLS clients MUST NOT send SSL 2.0 CLIENT-HELLO messages.

106	   o TLS servers MUST NOT negotiate or use SSL 2.0.

108	   As described in TLSv1.2 ([TLS1.2] Appendix E.2), TLS servers that do
109	   not support SSL 2.0 MAY accept version 2.0 CLIENT-HELLO messages as
110	   the first message of a TLS handshake for interoperability with old
111	   clients.

113	4. IANA Considerations

115	   None.

117	5. Security Considerations

119	   This entire document is about security considerations.

121	6. Acknowledgements

123	   The idea for this document was inspired by discussions between Peter
124	   Saint Andre, Simon Josefsson, and others on the XMPP mailing list.
125	   We would also like to thank Michael D'Errico, Paul Hoffman, Nikos
126	   Mavrogiannopoulos, Tom Petch, Yngve Pettersen, Marsh Ray, Martin Rex,
127	   and Yaron Sheffer for their reviews and comments.

129	7. References

131	7.1. Normative References

133	   [RFC2119]        Bradner, S., "Key words for use in RFCs to Indicate
134	                    Requirement Levels", BCP 14, RFC 2119, March 1997.

136	   [TLS1.0]         Dierks, T., and C. Allen, "The TLS Protocol Version
137	                    1.0", RFC 2246, January 1999.

139	   [TLS1.1]         Dierks, T. and E. Rescorla, "The Transport Layer
140	                    Security (TLS) Protocol Version 1.1", RFC 4346,
141	                    April 2006.

143	   [TLS1.2]         Dierks, T. and E. Rescorla, "The Transport Layer
144	                    Security (TLS) Protocol Version 1.2", RFC 5246,
145	                    August 2008.

147	7.2. Informative References

149	   [MD5]            Rivest, R., "The MD5 Message-Digest Algorithm", RFC
150	                    1321, April 1992.

152	   [SSL2]           Hickman, Kipp, "The SSL Protocol", Netscape
153	                    Communications Corp., Feb 9, 1995.

155	   [I-D.turner-md5-seccon-update] Turner, S., and L. Chen, "Updated
156	                    Security Considerations for the MD5 Message-Digest
157	                    Algorithm", draft-turner-md5-seccon-update, work-in-
158	                    progress.

160	 Authors' Addresses

162	   Sean Turner
163	   IECA, Inc.
164	   3057 Nutley Street, Suite 106
165	   Fairfax, VA 22031
166	   USA

168	   EMail: turners@ieca.com

170	   Tim Polk
171	   National Institute of Standards and Technology
172	   100 Bureau Drive, Mail Stop 8930
173	   Gaithersburg, MD 20899-8930
174	   USA

176	   EMail: tim.polk@nist.gov