Re: OpenSSL disables TLS 1.0 and 1.1
- Date: Fri, 11 Aug 2017 15:09:48 +0200
- From: Sven Hartge <sven@xxxxxxxxxxxxx>
- Subject: Re: OpenSSL disables TLS 1.0 and 1.1
Marco d'Itri <md@xxxxxxxx> wrote:
> On Aug 11, Marco d'Itri <md@xxxxxxxx> wrote:
>> but I see on your link that Android pre-5.x still has a ~25% market
>> share, so unless it will drop a lot in the next year I do not think
>> that we can cut them off from Debian-based web servers.
> OTOH if the PCI council says that TLS < 1.2 has to go by june 2018
> then this will probably not be such a big deal:
> But as it has been noted there is more than HTTP, so totally removing
> support for 1.0/1.1 may still not be appropriate.
Not everything is regulated by the PCI council.
If, after upgrading to Buster, suddenly 25% of the students of my
university can no longer connect to the wireless network, it will be
hell on earth for me and my support staff.
It is nice to say "well, then get the other side to upgrade to a new
device", but as it has already been said in this discussion: The real
world does not work that way.
Unless it has been proven that TLS1.0 and TLS1.1 are as broken as SSL3,
please keep the support for them enabled in OpenSSL, and just change the
defaults in the application to only use TLS1.2 (unless changed by the
Sigmentation fault. Core dumped.