2

I've been working on some security docs for a database at work - a quick guide on how to create a JDBC connection over TLS for this. The docs I have mention that while it supports SSLv2, SSLv3 and TLSv1, SSL is not recommended. I have no problem with adding this to the guide, or linking to the relevant RFCs, but I'm a little unsure about the language the RFCs use.

  • RFC 6176 prohibits the use of SSLv2, which I interpret as "Do not use this. Just...don't."
  • RFC 7658 deprecates SSLv3; my interpretation of this is "Don't use this, unless you really need to."

Both RFCs state that their version of SSL must not be used. So, are my interpretations of this accurate? If not, what's the difference?

Community
  • 1
Philip Rowlands
  • 1,779
  • 1
  • 13
  • 27

1 Answers1

6

Both documents intend to prohibit the use of the respective protocol and use the same RFC 2119 as a reference for terminology.

RFC 7658 (the one titled "Deprecating...") specifically says:

  1. Security Considerations

This entire document aims to improve security by prohibiting the use of a protocol that is not secure.

Both documents were written in different times, by different teams and both are classified as "proposed standard". Moreover, RFC titles seem not be standardised and no BCP document of IETF mentions how the titles should be formed.

The documents should be considered as a whole and their interpretation and application should extend beyond their titles.

Community
  • 1
techraf
  • 9,141
  • 11
  • 44
  • 62