Re: TLS access Re: Call for Community Feedback: Retiring IETF FTP Service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19/11/2020 17:24, Roman Danyliw wrote:
Hi Tom!

-----Original Message-----
From: tom petch <daedulus@xxxxxxxxxxxxx>
Sent: Thursday, November 19, 2020 7:40 AM

On 18/11/2020 22:43, Keith Moore wrote:
On 11/18/20 4:17 PM, Roman Danyliw wrote:

[Roman] In case there is concern about the TLS configuration on
www.ietf.org <http://www.ietf.org>, it is quite permissive to ensure
flexibility .  See

https://www.ssllabs.com/ssltest/analyze.html?d=www.ietf.org&s=104.16.45.99
&hideResults=on.
TLS v1.0 – 1.3 is supported.  Likewise, the ciphersuites are
extremely generous.

That is true for the main IETF site but not for the tools sites which is what I
imagine that almost everyone here will be concerned with.

Understood.  The good news is that tools.ietf is currently configured for TLS 1.0 - 1.2.  FWIW, datatracker.ietf and www.ietf are the canonical repositories for the I-Ds and RFCs in the IETF.

The full answer is that documents over HTTPS come from 3 domains and 6 formats (see the buttons next to "format" on the status tab of datatracker page):

"plain text" = https://www.ietf.org/archive/id/*.txt
"xml" = https://www.ietf.org/archive/id/*.xml
"pdf" = https://tools.ietf.org/pdf/*.pdf
"htmlized (tools) = https://tools.ietf.org/html/*
"htmlize" = https://datatracker.ietf.org/doc/html/
native datatracker txt = https://datatracker.ietf.org/doc/*

Per those 3 domains, the config is as follows:
-- datatracker.ietf.org = TLS 1.0 - 1.2
-- www.ietf.org = TLS 1.0 - 1.3
-- tools.ietf.org. = TLS 1.0 - 1.2

Bottom line, if you have a browser or https library that implemented state-of-the-art as of 1999 (the publication date of TLS 1.0, RFC2246), you can reach all three domains over https -- so circa Internet Explorer v5 on Windows 98 SE, before MacOS, or Netscape 6.

Well, no, not in my experience.
I originally configured Windows 98SE for TLS1.0 with certificate checking and can today access IANA, ISOC, ITU-T, IEEE, Metropolitan Opera inter alia, at least to the home pages, but have 100% failure on anything ietf.org - along with Cisco, IBM, RIPE, Microsoft, all of which used to work - and so was forced to stop using that several years ago, probably at the time of the announcement that in future all ietf access would be https: My logs do not go back that far and anything I look at promptly updates last accessed so I cannot see when I last accessed e.g. an IETF favorite successfully on 98SE. (I do not see later Windows as a better user interface for contributing to the IETF, i.e. downloading I-D and RFC, reviewing and commenting and so did not leave 98SE until I was forced to; software currency has not been a concern).

I then used Windows XP until again, access to the IETF web pages stopped working, probably 2016, and that remains the case today. It also is configured with TLS 1.0 (not SSL2, SSL3) with certificate checking. I get no prompts about certificate failures which I get plenty of with other web sites. I can access Cisco, Amazon and Google in addition to those listed above but not IBM, Microsoft, RIPE.

Your six URL above are interesting. /pdf/ on Windows XP says no such directory so clearly tools.ietf.org is accessible with Windows XP, but www. and datatracker. both fail with the usual error message, 'Internet Explorer cannot display the page', as does [1] below, and this is what I get for any failure to any other organisation, be it no DNS, RJ45 unplugged, http://192.168.254.1 (.1.254 works to the ADSL modem), almost any error except a certificate failure or a 404 so while the issue could be with the browser, I think not. When 98SE failed, I assumed that the ietf was demanding TLS 1.1 but from what you say, I suspect it is ciphersuite. XP has all updates applied as of end-of-currency, 98SE less so. Both only go up to TLS 1.0.

The software is out of the box, shrink-wrapped, no fancy add-ons, just Acrobat Reader; what else does one need to contribute to the IETF apart from access to the ietf website:-)

Tom Petch

Since we're talking about these different domains, the original proposal [1]  and the follow-up stats [2] said that HTTPS usage is being undercount.  All of the prepared stats only counted traffic to tools.ietf.org, not datatracker or www.ietf.  Therefore FTP traffic is an even smaller fraction of the overall access than previously discussed.

Regards,
Roman

[1] https://www.ietf.org/media/documents/Retiring_IETF_FTP_Service.pdf
[2] https://docs.google.com/document/d/1JAXspeaMWFl8ML3hSezFSM0VsJsHI4uyDlQ2dHip8jo/edit





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux