rfc-8996
Deprecating TLS 1.0 and TLS 1.1
This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.
This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.
This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.
obsoletes
- rfc-5469 — DES and IDEA Cipher Suites for Transport Layer Security (TLS)
- rfc-7507 — TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
updates
- rfc-3261 — SIP: Session Initiation Protocol
- rfc-3329 — Security Mechanism Agreement for the Session Initiation Protocol (SIP)
- rfc-3436 — Transport Layer Security over Stream Control Transmission Protocol
- rfc-3470 — Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols
- rfc-3501 — INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1
- rfc-3552 — Guidelines for Writing RFC Text on Security Considerations
- rfc-3568 — Known Content Network (CN) Request-Routing Mechanisms
- rfc-3656 — The Mailbox Update (MUPDATE) Distributed Mailbox Database Protocol
- rfc-3749 — Transport Layer Security Protocol Compression Methods
- rfc-3767 — Securely Available Credentials Protocol
- rfc-3856 — A Presence Event Package for the Session Initiation Protocol (SIP)
- rfc-3871 — Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure
- rfc-3887 — Message Tracking Query Protocol
- rfc-3903 — Session Initiation Protocol (SIP) Extension for Event State Publication
- rfc-3943 — Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)
- rfc-3983 — Using the Internet Registry Information Service (IRIS) over the Blocks Extensible Exchange Protocol (BEEP)
- rfc-4097 — Middlebox Communications (MIDCOM) Protocol Evaluation
- rfc-4111 — Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs)
- rfc-4162 — Addition of SEED Cipher Suites to Transport Layer Security (TLS)
- rfc-4168 — The Stream Control Transmission Protocol (SCTP) as a Transport for the Session Initiation Protocol (SIP)
- rfc-4217 — Securing FTP with TLS
- rfc-4235 — An INVITE-Initiated Dialog Event Package for the Session Initiation Protocol (SIP)
- rfc-4261 — Common Open Policy Service (COPS) Over Transport Layer Security (TLS)
- rfc-4279 — Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- rfc-4497 — Interworking between the Session Initiation Protocol (SIP) and QSIG
- rfc-4513 — Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
- rfc-4531 — Lightweight Directory Access Protocol (LDAP) Turn Operation
- rfc-4540 — NEC's Simple Middlebox Configuration (SIMCO) Protocol Version 3.0
- rfc-4582 — The Binary Floor Control Protocol (BFCP)
- rfc-4616 — The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
- rfc-4642 — Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)
- rfc-4680 — TLS Handshake Message for Supplemental Data
- rfc-4681 — TLS User Mapping Extension
- rfc-4712 — Transport Mappings for Real-time Application Quality-of-Service Monitoring (RAQMON) Protocol Data Unit (PDU)
- rfc-4732 — Internet Denial-of-Service Considerations
- rfc-4743 — Using NETCONF over the Simple Object Access Protocol (SOAP)
- rfc-4744 — Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol (BEEP)
- rfc-4785 — Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)
- rfc-4791 — Calendaring Extensions to WebDAV (CalDAV)
- rfc-4823 — FTP Transport for Secure Peer-to-Peer Business Data Interchange over the Internet
- rfc-4851 — The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
- rfc-4964 — The P-Answer-State Header Extension to the Session Initiation Protocol for the Open Mobile Alliance Push to Talk over Cellular
- rfc-4975 — The Message Session Relay Protocol (MSRP)
- rfc-4976 — Relay Extensions for the Message Sessions Relay Protocol (MSRP)
- rfc-4992 — XML Pipelining with Chunks for the Internet Registry Information Service
- rfc-5018 — Connection Establishment in the Binary Floor Control Protocol (BFCP)
- rfc-5019 — The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
- rfc-5023 — The Atom Publishing Protocol
- rfc-5024 — ODETTE File Transfer Protocol 2.0
- rfc-5049 — Applying Signaling Compression (SigComp) to the Session Initiation Protocol (SIP)
- rfc-5054 — Using the Secure Remote Password (SRP) Protocol for TLS Authentication
- rfc-5091 — Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems
- rfc-5158 — 6to4 Reverse DNS Delegation Specification
- rfc-5216 — The EAP-TLS Authentication Protocol
- rfc-5238 — Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP)
- rfc-5263 — Session Initiation Protocol (SIP) Extension for Partial Notification of Presence Information
- rfc-5281 — Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)
- rfc-5364 — Extensible Markup Language (XML) Format Extension for Representing Copy Control Attributes in Resource Lists
- rfc-5415 — Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification
- rfc-5422 — Dynamic Provisioning Using Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST)
- rfc-5456 — IAX: Inter-Asterisk eXchange Version 2
- rfc-5734 — Extensible Provisioning Protocol (EPP) Transport over TCP
- rfc-5878 — Transport Layer Security (TLS) Authorization Extensions
- rfc-5953 — Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)
- rfc-6012 — Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
- rfc-6042 — Transport Layer Security (TLS) Authorization Using KeyNote
- rfc-6083 — Datagram Transport Layer Security (DTLS) for Stream Control Transmission Protocol (SCTP)
- rfc-6084 — General Internet Signaling Transport (GIST) over Stream Control Transmission Protocol (SCTP) and Datagram Transport Layer Security (DTLS)
- rfc-6176 — Prohibiting Secure Sockets Layer (SSL) Version 2.0
- rfc-6347 — Datagram Transport Layer Security Version 1.2
- rfc-6353 — Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)
- rfc-6367 — Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
- rfc-6460 — Suite B Profile for Transport Layer Security (TLS)
- rfc-6614 — Transport Layer Security (TLS) Encryption for RADIUS
- rfc-6739 — Synchronizing Service Boundaries and <mapping> Elements Based on the Location-to-Service Translation (LoST) Protocol
- rfc-6749 — The OAuth 2.0 Authorization Framework
- rfc-6750 — The OAuth 2.0 Authorization Framework: Bearer Token Usage
- rfc-7030 — Enrollment over Secure Transport
- rfc-7465 — Prohibiting RC4 Cipher Suites
- rfc-7525 — Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- rfc-7562 — Transport Layer Security (TLS) Authorization Using Digital Transmission Content Protection (DTCP) Certificates
- rfc-7568 — Deprecating Secure Sockets Layer Version 3.0
- rfc-8261 — Datagram Transport Layer Security (DTLS) Encapsulation of SCTP Packets
- rfc-8422 — Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier
also
- bcp-195