|
Message-ID: <20240807140212.ls_NX9bg@steffen%sdaoden.eu> Date: Wed, 07 Aug 2024 16:02:12 +0200 From: Steffen Nurpmeso <steffen@...oden.eu> To: oss-security@...ts.openwall.com Subject: Re: feedback requested regarding deprecation of TLS 1.0/1.1 Bob Friesenhahn wrote in <1dfc8a2f-cc26-4e05-b41d-0398c925226d@...il.com>: |On 8/6/24 11:34, Stuart Henderson wrote: |> On 2024/08/06 17:12, Marco Moock wrote: |>> As a user, this is acceptable for me, but I know there are still |>> machines outside that only offer such old versions. |>> Some of them can't be upgraded easily because the vendor doesn't |>> provide any new versions. |> BTW, mainstream web browsers disabled pre-1.2 TLS by default around 2020. |FYI, I have old networking equipment for which there is no way to update |the firmware, but the hardware is still in use. I find it necessary to |enable pre-1.2 TLS support in the browser in order to administer the |equipment. | |It seems important to consider the use cases before disabling old protoc\ |ols. Agreed (i had such a necessity in the past, myself). Given that most sensitive software supports easy configuration, for example by passing through "MinProtocol" configuration settings to *SSL (and i so much like the possibility of a "global central OpenSSL configuration file" that bundles all relevant settings, yet so few programs support that possibility), topics like these always strike me as hysteria. And before the ears ring, i quickly say "as defaults are safe". Then again it must be said that LibreSSL disabled TLSv1.0 and v1.1 already, with v3.8.2, and labelled it "Security fixes". They had to iterate their ports tree to make this happen, with program specific patches, at times. Lots of work, and such. In general it seems to me there is a lot of sweeping going on, must be fashionable, maybe. Ie newer C++ variants become mandatory because of some for() loop syntax use cases, whatever. Then again getting rid of cruft is a good thing, especially if it is non-functional. (Like some lynx compile time option that uses libraries which no search engine can find, while a modern (current) variant is built-in default, and things like that.) For my own stuff i hope i can someday truly backport it to things from around Y2K. (Some things have sneaked in, because they are so tremendous improvements in security or usability, especially the *at() series has to be named here.) Yes, in general i do not know, you know. Whereas it is understandable to cut maintenance burden and such, especially so in release engineering, say, FreeBSD, they reduce -- and that is *so* much understandable (and that AlpineLinux *can*!) -- the number of supported branches. Then again love is missing, say, they link only via ftp:// to the old-archives thing, even though it is available via http, too; yet not https, no real info there, nothing. Luckily in earlier times some basic packages where bundled on the CDs already. But i mean, hey, some things you do once, and then .. that is it. Whatever.. Anyway, i feel that respect is due for what has been achieved with the possibilities of that time. At least clothes and shoes where long lasting and of great craftsmanship, a century ago. Hm. --End of <1dfc8a2f-cc26-4e05-b41d-0398c925226d@...il.com> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.