On 19/11/2020 17:24, Roman Danyliw wrote:
Hi Tom!
-----Original Message-----
From: tom petch <daedulus@xxxxxxxxxxxxx>
Sent: Thursday, November 19, 2020 7:40 AM
On 18/11/2020 22:43, Keith Moore wrote:
On 11/18/20 4:17 PM, Roman Danyliw wrote:
[Roman] In case there is concern about the TLS configuration on
www.ietf.org <http://www.ietf.org>, it is quite permissive to ensure
flexibility . See
https://www.ssllabs.com/ssltest/analyze.html?d=www.ietf.org&s=104.16.45.99
&hideResults=on.
TLS v1.0 – 1.3 is supported. Likewise, the ciphersuites are
extremely generous.
That is true for the main IETF site but not for the tools sites which is what I
imagine that almost everyone here will be concerned with.
Understood. The good news is that tools.ietf is currently configured for TLS 1.0 - 1.2. FWIW, datatracker.ietf and www.ietf are the canonical repositories for the I-Ds and RFCs in the IETF.
The full answer is that documents over HTTPS come from 3 domains and 6 formats (see the buttons next to "format" on the status tab of datatracker page):
"plain text" = https://www.ietf.org/archive/id/*.txt
"xml" = https://www.ietf.org/archive/id/*.xml
"pdf" = https://tools.ietf.org/pdf/*.pdf
"htmlized (tools) = https://tools.ietf.org/html/*
"htmlize" = https://datatracker.ietf.org/doc/html/
native datatracker txt = https://datatracker.ietf.org/doc/*
Per those 3 domains, the config is as follows:
-- datatracker.ietf.org = TLS 1.0 - 1.2
-- www.ietf.org = TLS 1.0 - 1.3
-- tools.ietf.org. = TLS 1.0 - 1.2
Bottom line, if you have a browser or https library that implemented state-of-the-art as of 1999 (the publication date of TLS 1.0, RFC2246), you can reach all three domains over https -- so circa Internet Explorer v5 on Windows 98 SE, before MacOS, or Netscape 6.
Well, no, not in my experience.
I originally configured Windows 98SE for TLS1.0 with certificate
checking and can today access IANA, ISOC, ITU-T, IEEE, Metropolitan
Opera inter alia, at least to the home pages, but have 100% failure on
anything ietf.org - along with Cisco, IBM, RIPE, Microsoft, all of which
used to work - and so was forced to stop using that several years ago,
probably at the time of the announcement that in future all ietf access
would be https: My logs do not go back that far and anything I look at
promptly updates last accessed so I cannot see when I last accessed e.g.
an IETF favorite successfully on 98SE. (I do not see later Windows as a
better user interface for contributing to the IETF, i.e. downloading I-D
and RFC, reviewing and commenting and so did not leave 98SE until I was
forced to; software currency has not been a concern).
I then used Windows XP until again, access to the IETF web pages stopped
working, probably 2016, and that remains the case today. It also is
configured with TLS 1.0 (not SSL2, SSL3) with certificate checking. I
get no prompts about certificate failures which I get plenty of with
other web sites. I can access Cisco, Amazon and Google in addition to
those listed above but not IBM, Microsoft, RIPE.
Your six URL above are interesting. /pdf/ on Windows XP says no such
directory so clearly tools.ietf.org is accessible with Windows XP, but
www. and datatracker. both fail with the usual error message, 'Internet
Explorer cannot display the page', as does [1] below, and this is what I
get for any failure to any other organisation, be it no DNS, RJ45
unplugged, http://192.168.254.1 (.1.254 works to the ADSL modem), almost
any error except a certificate failure or a 404 so while the issue could
be with the browser, I think not. When 98SE failed, I assumed that the
ietf was demanding TLS 1.1 but from what you say, I suspect it is
ciphersuite. XP has all updates applied as of end-of-currency, 98SE
less so. Both only go up to TLS 1.0.
The software is out of the box, shrink-wrapped, no fancy add-ons, just
Acrobat Reader; what else does one need to contribute to the IETF apart
from access to the ietf website:-)
Tom Petch
Since we're talking about these different domains, the original proposal [1] and the follow-up stats [2] said that HTTPS usage is being undercount. All of the prepared stats only counted traffic to tools.ietf.org, not datatracker or www.ietf. Therefore FTP traffic is an even smaller fraction of the overall access than previously discussed.
Regards,
Roman
[1] https://www.ietf.org/media/documents/Retiring_IETF_FTP_Service.pdf
[2] https://docs.google.com/document/d/1JAXspeaMWFl8ML3hSezFSM0VsJsHI4uyDlQ2dHip8jo/edit
