Web lists-archives.com

Re: OpenSSL disables TLS 1.0 and 1.1

On Mon, Aug 07, 2017 at 08:35:52PM +0200, Kurt Roeckx wrote:
> On Mon, Aug 07, 2017 at 05:22:51PM +0200, Joerg Jaspert wrote:
> > I wonder if there is a middle way that ensures that all new stuff does
> > go TLS1.2 (or later, whenever), but does allow older stuff still to
> > work. Which isnt the case if they are just disabled.
> I could change the default settings to set the minimum supported
> version as TLS 1.2. That is, act like
> SSL_CTX_set_min_proto_version() was called with TLS1_2_VERSION.
> That would allow applications to override this this by calling
> SSL_CTX_set_min_proto_version(). But then those are new
> functions in 1.1.0 and they probably aren't supported by many
> applications.
> An other alternative is to use the deprecated SSL_CTX_set_options
> options (SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1) by default, but then
> there is probably no software that has support for clearing those
> with SSL_CTX_clear_options()

Would it instead be possible to create an item in the openssl.conf file
to disable TLS1.2 by default? That way, users can re-enable TLS1.{0,1}
in cases where that's required, and you can drop TLS1.0 and 1.1 (and
possibly 1.2 even, if 1.3 has enough traction) in bullseye.


Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008