RFC 7568: SSL 3.0 Is Now Officially Deprecated

Mattias Geniar, Friday, June 26, 2015

The IETF has taken an official stance in the matter: SSL 3.0 is now deprecated.

It's been a long time coming. We've had, as many others, SSL 3.0 disabled on all our servers for multiple years now. And I'm now happy to report the IETF is making the end of SSL 3.0 "official".

The Secure Sockets Layer version 3.0 (SSLv3), as specified in RFC 6101, is not sufficiently secure. This document requires that SSLv3 not be used.

The replacement versions, in particular, Transport Layer Security (TLS) 1.2 (RFC 5246), are considerably more secure and capable protocols.

RFC 7568: Deprecating Secure Sockets Layer Version 3.0

Initiatives like disablessl3.com have been around for quite a while, urging system administrators to disable SSLv3 wherever possible. With POODLE as its most known attack, the death of SSLv3 is a very welcome one.

The RFC targets everyone using SSL 3.0: servers as well as clients.

Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,00}.

Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,00}. Any party receiving a Hello message with the protocol version set to {03,00} MUST respond with a "protocol_version" alert message and close the connection.

SSL is dead. Long live TLS 1.2(*).

(*) while it lasts.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *