oss-sec mailing list archives
Re: feedback requested regarding deprecation of TLS 1.0/1.1
From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Thu, 15 Aug 2024 23:04:00 -0500
Hanno Böck wrote:
Hello, I have no particular insight on the prevalence of TLS 1.0/1.1 these days, but I want to make a more general comment. My impression of OpenSSL is that it has a strong tendency to ship "bloat", i.e., features that either barely anyone needs, but that still get added (remember Heartbeat extension?), or that should've been deprecated long ago. If this effort to deprecate old protocols is a sign that this is changing, I welcome this. I'd recommend to have a look at other things in the OpenSSL codebase that should be trimmed.
That actually raises another question: what is actually to be gained from deprecating TLS1.0/1.1? Did the protocol significantly change or is the only major difference new cipher suites?
In other words, what non-trivial code paths would dropping TLS1.0/1.1 entirely allow removing? (Concatenating SHA1+MD5 is trivial.)
I also think there's probably potential to remove some obsolete ciphers (DSA?).
While DSA is definitely obsolete (advances in conventional computing have begun to approach the ability to plausibly solve 1024-bit keys, and DSA keys *MUST* be 1024-bit, supposedly to facilitate smartcard implementations), OpenSSL is also a general cryptographic library and applications can use its primitives for other purposes. In particular, this means that dropping TLS1.0/1.1 cipher suites does *not* mean you can drop the ciphers that were used in those suites.
-- Jacob
Current thread:
- Re: feedback requested regarding deprecation of TLS 1.0/1.1, (continued)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Alex Gaynor (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jan Engelhardt (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Duncan Grisby (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Mike O'Connor (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Hanno Böck (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 17)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 18)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 19)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 20)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 20)