IETF formally deprecates TLS 1.0 and TLS 1.1

  • Thread starter Security feed from CyberSecurity Help
  • Start date

Security feed from CyberSecurity Help


The Internet Engineering Task Force (IETF) has officially deprecated the Transport Layer Security (TLS) 1.0 (RFC 2246) and TLS 1.1 (RFC 4346)cryptographic protocols for security reasons. Both these documents have now been moved to Historic status.

The reason behind this move is that TLS 1.0 and TLS 1.1 lack support for current and recommended cryptographic algorithms and mechanisms, which enables malicious actors to take advantage of weaknesses in TLS 1.0/1.1 to compromise encrypted communications and conduct attacks against organizations.

In addition to the TLS 1.0/1.1 versions, IETF has also deprecated Datagram TLS (DTLS) version 1.0 (RFC 4347).

Technical reasons for deprecating these versions include:

-They require the implementation of older cipher suites that are no longer desirable for cryptographic reasons, e.g., TLS 1.0 makes TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA mandatory to implement.

-There is a lack of support for current recommended cipher suites, especially authenticated encryption with associated data (AEAD)ciphers, which were not supported prior to TLS 1.2. Note that registry entries for no-longer-desirable ciphersuites remain in the registries, but many TLS registries were updated by [RFC8447], which indicates that such entries are not recommended by the IETF.

-The integrity of the handshake depends on SHA-1 hash.

-The authentication of the peers depends on SHA-1 signatures.

-Support for four TLS protocol versions increases the likelihood of misconfiguration.

-At least one widely used library has plans to drop TLS 1.1 and TLS 1.0 support in upcoming releases; products using such libraries would need to use older versions of the libraries to support TLS 1.0 and TLS 1.1, which is clearly undesirable.

IETF is now urging all government entities, organizations and software developers to use more secure TLS 1.2 and TLS 1.3 versions.

“Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance,” the IETF’s memo reads.

Let's block ads! (Why?)