Web lists-archives.com

Re: OpenSSL disables TLS 1.0 and 1.1




On Aug 7, 2017 8:23 AM, "Joerg Jaspert" <joerg@xxxxxxxxxx> wrote:
On 14757 March 1977, Kurt Roeckx wrote:

> This will likely break certain things that for whatever reason
> still don't support TLS 1.2. I strongly suggest that if it's not
> supported that you add support for it, or get the other side to
> add support for it.

In many cases this isnt possible.

I can think of a lot of "enterprise" tools that have been built for older versions of Java. In most cases, the vendors have no interest in doing anything required to get away from a TLSv1.0 requirement. I'm also aware some of the well-known search engine bots that support only TLSv1.0.

Is there an actual need for the removal of TLS v1.{0,1}? Are either considered broken or unsupported by upstream? If not, I'd be much more concerned about what's going to start breaking by making this change.

Shouldn't a change like this at least start with packages such as nginx, apache, etc. and seeing if they can drop those from the default configuration? Heck, I'm sure we could even include a comment along the lines of "if you need to re-enable older TLS versions due to application compatibility, please respond to bug #123".

I'm not sure what exactly would be a better idea, but disabling globally with no easy workaround sounds like a recipe for pain and very angry users.