https://datatracker.ietf.org/doc/rfc8996/ Toggle navigation IETF Logo Datatracker Enable Javascript for full functionality. * Groups + Active WGs + Active RGs + Other o Active AGs o Active Areas o Active Directorates o Active Programs o Active RAGs o Active Teams o RSOC + + By area/parent + Applications and Real-Time + General + Internet + Ops & Mgmt + Routing + Security + Transport + IRTF + + New work + Chartering groups + BOFs + + Other groups + Concluded groups + Non-WG lists * Documents + Search + Recent drafts + Draft submission + Sign in to track docs + + RFC streams + IAB + IRTF + ISE * Meetings + Agenda + Materials + Floor plan + Registration + Important dates + Proceedings + Upcoming + Past + Request a session + Session requests * Other + IPR disclosures + Liaison statements + IESG agenda + NomComs + Downref registry + Statistics o Drafts/RFCs o Meetings + Tutorials + API Help + Release notes + + Report a bug * User + Sign in + Password reset + Preferences + Handling of personal information + New account [ ] Deprecating TLS 1.0 and TLS 1.1 RFC 8996 * Status * IESG evaluation record * IESG writeups * Email expansions * History * Versions * 00 * 01 * 02 * 03 * 04 * 05 * 06 * 07 * 08 * 09 * 10 * 11 * 12 RFC - Best Current Practice (March 2021; No errata) Obsoletes RFC 5469, RFC 7507 Updates RFC 4732, RFC 5878, RFC 4168, RFC 6460, RFC 8261, RFC 4681, RFC 4975, RFC 3470, RFC 3887, RFC 4582, RFC 5364, RFC 3749, RFC 4235, RFC 4976, RFC 5456, RFC 4531, RFC 4823, RFC 5263, RFC 3436, RFC 5281, RFC 4680, RFC 3767, RFC 4712, RFC 7465, RFC 5019, RFC 4162, RFC 5415, RFC 3501, RFC 3552, RFC 5091, RFC 5734, RFC 5953, RFC 4540, RFC 6012, RFC 3261, RFC Document Type 5216, RFC 6042, RFC 3856, RFC 4744, RFC 5158, RFC 6083, RFC 7562, RFC 5049, RFC 4497, RFC 7568, RFC 4992, RFC 3983, RFC 3871, RFC 5023, RFC 6614, RFC 6084, RFC 4785, RFC 7525, RFC 4513, RFC 3656, RFC 4111, RFC 4261, RFC 4279, RFC 3943, RFC 6347, RFC 4791, RFC 6176, RFC 3903, RFC 5422, RFC 3329, RFC 4217, RFC 7030, RFC 3568, RFC 6750, RFC 5018, RFC 5024, RFC 8422, RFC 4097, RFC 6353, RFC 5238, RFC 6367, RFC 6739, RFC 5054, RFC 4743, RFC 6749, RFC 4964, RFC 4616, RFC 4642, RFC 4851 Was draft-ietf-tls-oldversions-deprecate (tls WG) Authors Kathleen Moriarty , Stephen Farrell Last 2021-03-23 updated Replaces draft-moriarty-tls-oldversions-diediedie Stream Internent Engineering Task Force (IETF) Formats plain text html xml pdf htmlized (tools) htmlized bibtex OPSDIR Last Call Review (of -09): Ready Reviews GENART Last Call Review (of -09): Ready SECDIR Last Call Review (of -09): Ready Stream WG state Submitted to IESG for Publication Document Sean Turner shepherd Shepherd Show (last changed 2020-12-29) write-up IESG IESG state RFC 8996 (Best Current Practice) Action (None) Holders Consensus Yes Boilerplate Telechat date Responsible Benjamin Kaduk AD Send Sean Turner , Kathleen Moriarty notices to IANA IANA review IANA OK - No Actions Needed state IANA action No IANA Actions state Email authors Email WG IPR References Referenced by Nits Search lists * IETF Mail Archive * Google Internet Engineering Task Force (IETF) K. Moriarty Request for Comments: 8996 CIS BCP: 195 S. Farrell Obsoletes: 5469, 7507 Trinity College Dublin Updates: 3261, 3329, 3436, 3470, 3501, 3552, March 2021 3568, 3656, 3749, 3767, 3856, 3871, 3887, 3903, 3943, 3983, 4097, 4111, 4162, 4168, 4217, 4235, 4261, 4279, 4497, 4513, 4531, 4540, 4582, 4616, 4642, 4680, 4681, 4712, 4732, 4743, 4744, 4785, 4791, 4823, 4851, 4964, 4975, 4976, 4992, 5018, 5019, 5023, 5024, 5049, 5054, 5091, 5158, 5216, 5238, 5263, 5281, 5364, 5415, 5422, 5456, 5734, 5878, 5953, 6012, 6042, 6083, 6084, 6176, 6347, 6353, 6367, 6460, 6614, 6739, 6749, 6750, 7030, 7465, 7525, 7562, 7568, 8261, 8422 Category: Best Current Practice ISSN: 2070-1721 Deprecating TLS 1.0 and TLS 1.1 Abstract This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance. This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1. This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8996. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 1.1. RFCs Updated 1.2. Terminology 2. Support for Deprecation 3. SHA-1 Usage Problematic in TLS 1.0 and TLS 1.1 4. Do Not Use TLS 1.0 5. Do Not Use TLS 1.1 6. Updates to RFC 7525 7. Operational Considerations 8. Security Considerations 9. IANA Considerations 10. References 10.1. Normative References 10.2. Informative References Acknowledgements Authors' Addresses 1. Introduction Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] were superseded by TLS 1.2 [RFC5246] in 2008, which has now itself been superseded by TLS 1.3 [RFC8446]. Datagram Transport Layer Security (DTLS) version 1.0 [RFC4347] was superseded by DTLS 1.2 [RFC6347] in 2012. Therefore, it is timely to further deprecate TLS 1.0, TLS 1.1, and DTLS 1.0. Accordingly, the aforementioned documents have been moved to Historic status. Technical reasons for deprecating these versions include: * They require the implementation of older cipher suites that are no Show full document text --------------------------------------------------------------------- RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools About | IETF Datatracker | Version 7.27.0.p2 | 2021-03-12 | Report a bug: Tracker: Email: Python 3.6.12 | Django 2.2.19