Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240807140212.ls_NX9bg@steffen%sdaoden.eu>
Date: Wed, 07 Aug 2024 16:02:12 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation
 of TLS 1.0/1.1

Bob Friesenhahn wrote in
 <1dfc8a2f-cc26-4e05-b41d-0398c925226d@...il.com>:
 |On 8/6/24 11:34, Stuart Henderson wrote:
 |> On 2024/08/06 17:12, Marco Moock wrote:
 |>> As a user, this is acceptable for me, but I know there are still
 |>> machines outside that only offer such old versions.
 |>> Some of them can't be upgraded easily because the vendor doesn't
 |>> provide any new versions.
 |> BTW, mainstream web browsers disabled pre-1.2 TLS by default around 2020.

 |FYI, I have old networking equipment for which there is no way to update 
 |the firmware, but the hardware is still in use.  I find it necessary to 
 |enable pre-1.2 TLS support in the browser in order to administer the 
 |equipment.
 |
 |It seems important to consider the use cases before disabling old protoc\
 |ols.

Agreed (i had such a necessity in the past, myself).
Given that most sensitive software supports easy configuration, for
example by passing through "MinProtocol" configuration settings to
*SSL (and i so much like the possibility of a "global central
OpenSSL configuration file" that bundles all relevant settings,
yet so few programs support that possibility), topics like these
always strike me as hysteria.  And before the ears ring, i quickly
say "as defaults are safe".

Then again it must be said that LibreSSL disabled TLSv1.0 and v1.1
already, with v3.8.2, and labelled it "Security fixes".  They had
to iterate their ports tree to make this happen, with program
specific patches, at times.  Lots of work, and such.

In general it seems to me there is a lot of sweeping going on,
must be fashionable, maybe.  Ie newer C++ variants become
mandatory because of some for() loop syntax use cases, whatever.
Then again getting rid of cruft is a good thing, especially if it
is non-functional.  (Like some lynx compile time option that uses
libraries which no search engine can find, while a modern
(current) variant is built-in default, and things like that.)
For my own stuff i hope i can someday truly backport it to things
from around Y2K.  (Some things have sneaked in, because they are
so tremendous improvements in security or usability, especially
the *at() series has to be named here.)

Yes, in general i do not know, you know.  Whereas it is
understandable to cut maintenance burden and such, especially so
in release engineering, say, FreeBSD, they reduce -- and that is *so*
much understandable (and that AlpineLinux *can*!) -- the number of
supported branches.  Then again love is missing, say, they link
only via ftp:// to the old-archives thing, even though it is
available via http, too; yet not https, no real info there,
nothing.  Luckily in earlier times some basic packages where
bundled on the CDs already.  But i mean, hey, some things you do
once, and then .. that is it.  Whatever..  Anyway, i feel that
respect is due for what has been achieved with the possibilities
of that time.  At least clothes and shoes where long lasting and
of great craftsmanship, a century ago.  Hm.

 --End of <1dfc8a2f-cc26-4e05-b41d-0398c925226d@...il.com>

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
|   Total war - shortest war -> Permanent war - everlasting war

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.