Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6c5622dc-681e-4117-ab0d-ef3a2f85dd31@caret.be>
Date: Fri, 9 Aug 2024 12:08:07 +0200
From: Jens Timmerman <jens@...et.be>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation of TLS
 1.0/1.1


On 8/8/24 12:46 PM, Clemens Lang wrote:
> Hi,
>
>
> Speaking of LTS distros: RHEL 6.10 supports TLS 1.2.

RHEL 6.10 is not a supported distro, it's Extended Life Cycle ended 1 
month and one week ago (30 Jun 2024)

https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates

> At what point is a distro not LTS, but a museum piece which we can ignore?
I believe, after it is no longer supported. I also believe the LTS means 
that the vendor/creator of the distro will provide the support, and will 
make security patches and possibly back-port features if requested. This 
is nothing the community should do for them. (I can claim to support a 
20 year old version of OpenSSL if I wanted to, but I would not 
expect/request the OpenSSL maintainers to fix my issues for me)
> What currently supported LTS distro does not support TLS 1.2?
>
>
>> 2. Scanning or crawling a wide variety of systems, e.g. by a search
>> engine indexer, an asset enumeration tool, a security scanner, or during
>> a pentest.
> What good is a search engine index of a webpage no modern browser will connect to?

It is good for penetration testers, if no normal expected users need to 
connect to the service, and only malicious users are expected to connect 
to it, it might be beneficial for the security posture to bring it 
offline/put it behind a proxy.

> The other use cases sound like they’d be done with special tooling anyway, in which case that can continue to ship an older version of OpenSSL for this purpose.
>
Agreed, if an older version of OpenSSL is needed for specific testing 
purposes, I can boot up an old live cd in a vm, or download old source 
releases and build OpenSSL from source myself.

Regards,

Jens Timmerman

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.