target = "https://tools.ietf.org/rfc/rfc8446#D.5"

# D.5.  Security Restrictions Related to Backward Compatibility
#
# Implementations negotiating the use of older versions of TLS SHOULD
# prefer forward secret and AEAD cipher suites, when available.
# 
# The security of RC4 cipher suites is considered insufficient for the
# reasons cited in [RFC7465].  Implementations MUST NOT offer or
# negotiate RC4 cipher suites for any version of TLS for any reason.
# 
# Old versions of TLS permitted the use of very low strength ciphers.
# Ciphers with a strength less than 112 bits MUST NOT be offered or
# negotiated for any version of TLS for any reason.
# 
# The security of SSL 3.0 [RFC6101] is considered insufficient for the
# reasons enumerated in [RFC7568], and it MUST NOT be negotiated for
# any reason.
# 
# The security of SSL 2.0 [SSL2] is considered insufficient for the
# reasons enumerated in [RFC6176], and it MUST NOT be negotiated for
# any reason.
# 
# Implementations MUST NOT send an SSL version 2.0 compatible
# CLIENT-HELLO.  Implementations MUST NOT negotiate TLS 1.3 or later
# using an SSL version 2.0 compatible CLIENT-HELLO.  Implementations
# are NOT RECOMMENDED to accept an SSL version 2.0 compatible
# CLIENT-HELLO in order to negotiate older versions of TLS.
# 
# Implementations MUST NOT send a ClientHello.legacy_version or
# ServerHello.legacy_version set to 0x0300 or less.  Any endpoint
# receiving a Hello message with ClientHello.legacy_version or
# ServerHello.legacy_version set to 0x0300 MUST abort the handshake
# with a "protocol_version" alert.
# 
# Implementations MUST NOT send any records with a version less than
# 0x0300.  Implementations SHOULD NOT accept any records with a version
# less than 0x0300 (but may inadvertently do so if the record version
# number is ignored completely).
# 
# Implementations MUST NOT use the Truncated HMAC extension, defined in
# Section 7 of [RFC6066], as it is not applicable to AEAD algorithms
# and has been shown to be insecure in some scenarios.

[[spec]]
level = "SHOULD"
quote = '''
Implementations negotiating the use of older versions of TLS SHOULD
prefer forward secret and AEAD cipher suites, when available.
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT offer or
negotiate RC4 cipher suites for any version of TLS for any reason.
'''

[[spec]]
level = "MUST"
quote = '''
Ciphers with a strength less than 112 bits MUST NOT be offered or
negotiated for any version of TLS for any reason.
'''

[[spec]]
level = "MUST"
quote = '''
The security of SSL 3.0 [RFC6101] is considered insufficient for the
reasons enumerated in [RFC7568], and it MUST NOT be negotiated for
any reason.
'''

[[spec]]
level = "MUST"
quote = '''
The security of SSL 2.0 [SSL2] is considered insufficient for the
reasons enumerated in [RFC6176], and it MUST NOT be negotiated for
any reason.
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT send an SSL version 2.0 compatible
CLIENT-HELLO.
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT negotiate TLS 1.3 or later
using an SSL version 2.0 compatible CLIENT-HELLO.
'''

[[spec]]
level = "SHOULD"
quote = '''
Implementations
are NOT RECOMMENDED to accept an SSL version 2.0 compatible
CLIENT-HELLO in order to negotiate older versions of TLS.
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT send a ClientHello.legacy_version or
ServerHello.legacy_version set to 0x0300 or less.
'''

[[spec]]
level = "MUST"
quote = '''
Any endpoint
receiving a Hello message with ClientHello.legacy_version or
ServerHello.legacy_version set to 0x0300 MUST abort the handshake
with a "protocol_version" alert.
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT send any records with a version less than
0x0300.
'''

[[spec]]
level = "SHOULD"
quote = '''
Implementations SHOULD NOT accept any records with a version
less than 0x0300 (but may inadvertently do so if the record version
number is ignored completely).
'''

[[spec]]
level = "MUST"
quote = '''
Implementations MUST NOT use the Truncated HMAC extension, defined in
Section 7 of [RFC6066], as it is not applicable to AEAD algorithms
and has been shown to be insecure in some scenarios.
'''