Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




]] Adrian Bunk 

> Or did this start as a coordinated effort of several major Linux
> distributions covering all TLS implementations?

While not speaking for Kurt, there's been a move towards getting rid of
TLS < 1.2 for quite some time, by reasonably important players such as
the PCI-DSS consortium which announced in 2015 that June 2016 would be
the deadline for disabling older TLS versions.  As we all know, we're
past that date now, and TLS < 1.2 is still around and entirely too
well-supported.  The PCI consortium extended the deadline until June
2018.  Assuming that deadline holds, people with older machines will not
be able to access services such as online banking or pay online in
general.

I'm hoping they won't extend the deadline again, but they're pragmatic.
As they write in their press release: “…in the field a lot of business
issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
merchants protected against data theft but not at the expense of turning
away business, so we changed the date.”

> Nothing that Debian does alone will have any measurable impact
> on TLS 1.0 usage.

I think you're wrong on this point, having Debian make this change makes
it a lot easier for me to go to company management and explain that TLS
v1.2 is the only way forward and that we need to spend engineering
resources to make sure any users on platforms where support for that is
lacking get a proper notification and a chance to move to something
newer.  «We need to do this because this change is coming, whether we
want it or not.»

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are