Re: OpenSSL disables TLS 1.0 and 1.1
- Date: Mon, 07 Aug 2017 17:22:51 +0200
- From: Joerg Jaspert <joerg@xxxxxxxxxx>
- Subject: Re: OpenSSL disables TLS 1.0 and 1.1
On 14757 March 1977, Kurt Roeckx wrote:
> I've just uploaded a version of OpenSSL to unstable that disables
> the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the
> only supported SSL/TLS protocol version.
Thats nice for any environment where on can freely define that
everything works like this.
Unfortunately real world doesnt work like it.
> This will likely break certain things that for whatever reason
> still don't support TLS 1.2. I strongly suggest that if it's not
> supported that you add support for it, or get the other side to
> add support for it.
In many cases this isnt possible.
> OpenSSL made a release 5 years ago that supported TLS 1.2. The
> current support of the server side seems to be around 90%. I hope
> that by the time Buster releases the support for TLS 1.2 will be
> high enough that I don't need to enable them again.
I wonder if there is a middle way that ensures that all new stuff does
go TLS1.2 (or later, whenever), but does allow older stuff still to
work. Which isnt the case if they are just disabled.