Hi all,

As a general rule I'll start a thread of each of the changes to be discussed for inclusion in Mbed TLS 3.0, but as an exception to that rule, I'm grouping several items here because I suspect they probably won't generate much discussion (if any).

Note: in general we keep obsolete crypto primitives in the code base (disabled by default at compile time), so that people can still use them to process old data at rest. This list however is about TLS options, i. e. handling live data in transit, so it makes sense to completely remove them from the code base once they're not used any more. It also decreases the complexity of the code base, hence improving its maintainability, testability and security.

* Drop support for parsing SSLv2 ClientHello (`MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO`). This was only needed back when common frameworks (old version of Java most motably) used this format for ClientHellos for compatibility with old an buggy servers, and when people would actually consider negociating SSL 2.0. Fortunately, that's not the case any more. Also, removing this unblocks some much-needed refactorings and simplification of the code (and this option has become hard to test).

* Drop support for SSLv3 (`MBEDTLS_SSL_PROTO_SSL3`). This version of the protocol was deprecated by the IETF (MUST NOT use since 2015 - RFC 7568) and is no longer widely used.

* Drop support for compatibility with our own previous buggy implementation of truncated HMAC (`MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT`). This is only useful for people who want to interoperate with buggy pre-2.7 Mbed TLS. Since those versions are no longer maintained, hopefully everyone has updated by now.

* Drop support for TLS record-level compression (`MBEDTLS_ZLIB_SUPPORT`). There are potential security issues with this option (compression if any should be done at the appplication level in order to separate secrets from attacker-controlled content), it's not widely used, and was removed in TLS 1.3.

* Drop RC4 ciphersuites. These have been prohibited by RFC 7465 since 2015. (Note: as a bonus, we can then remove the config.h option `MBEDTLS_REMOVE_ARC4_CIPHERSUITES` as well.)

* Drop the single-DES ciphersuites. 56-bit keys, need I say more?

* Support for SSL record hardware acceleration (`MBEDTLS_SSL_HW_RECORD_ACCEL`). Nobody in the team knows how it's supposed to work, it's entirely untested, and we think nobody uses it, it's been failing to build for a while and nobody complained so far. (Note: we still fixed the bug, see PR #2262.)

Do you agree with the above list? Are you (or people you know) using one of those features? Would you add things to that list (keeping the focus on SSL/TLS obsolete features for now)?

Thanks in advance for sharing your thoughts!

Regards, Manuel.