Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Aug 15, 2017 08:05, "Kurt Roeckx" <kurt@xxxxxxxxx> wrote:

> Do you really think that big companies like cable provides give a
> **** about what Debian deprecates?  I was personally fighting with similar
> problems in Firefox and the internal side at my university.

My problem is that if we don't do something, TLS 1.0 will be used
for an other 10 year, and that's just not acceptable. So I would

Nobody said we should do nothing, but it should be clear by this point that this total removal is going to cause a lot of problems for admins and users.

like to do something so that hopefully by the time Buster releases
you can disable TLS 1.0 by default, and that almost no users would
need to enable it again.

If Debian is going to be the only motivating factor for change then the pressure that causes the change will be from system admins hosting applications. These admins will *NEED* to re-enable older versions.

Companies might not listen to customers, but vendors listen to the money providers. It's rarely a fast change, though. It's usually a ticket tossed into the wishlist pile until enough people make noise.

I'm currently working on a project with a client to replace TLSv1.0 with TLSv1.2. We're hoping to have this rolled out in a lab in the next four months, but it's been a "priority" project for over two years.

It's not for lack of motivation or effort; there are a lot of interesting roll-out issues. This is when motivation to change already exists. "Some distro disabled support for it" is going to lead to vendors outright saying, "use a different distro and wait until we get around to it."

I imagine users would be more inclined to just switch to a different distribution that doesn't break their chrome/firefox/internet's. If a client came to us and said their agent broke because their OS dropped that support, our choice would be to say tough luck.

Having TLS 1.0 (and 1.1) enabled by default itself is not a
problem, it's actually using it that's a problem. There are
clearly still too many that don't support TLS 1.2, but it's
getting better.

I don't think it was answered... Is there an actual reason that this needs to be handled urgently? Is TLSv1.0/v1.1 considered broken? Is there a reason there was no discussion on this list before the decision was made and pushed?

Disabling the protocols is the only way I know how to identify
all the problems. And I would like to encourage everybody to
contact the other side if things break and get them to upgrade.

It might be the only way you know, but this list has lots of admin types that could probably help out. Perhaps you could upload a fixed openssl so we can open that discussion about what's appropriate?

I've already suggested dropping it from all default configs for a release cycle. It's not until the next release that we can assume a majority of pro-active admins will have been made aware that we(Debian) are deprecating older TLS versions.

Dropping out-of-the box support sounds like a great idea, but the back-out option needs to be easy and should be able to be toggled per-application, giving people a chance to react to this change instead of making them scramble for a patch.