Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?

Excerpts from Tollef Fog Heen's message of 2017-08-18 22:07:49 +0200:
> ]] Adrian Bunk 
> > Or did this start as a coordinated effort of several major Linux
> > distributions covering all TLS implementations?
> While not speaking for Kurt, there's been a move towards getting rid of
> TLS < 1.2 for quite some time, by reasonably important players such as
> the PCI-DSS consortium which announced in 2015 that June 2016 would be
> the deadline for disabling older TLS versions.  As we all know, we're
> past that date now, and TLS < 1.2 is still around and entirely too
> well-supported.  The PCI consortium extended the deadline until June
> 2018.  Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.
> I'm hoping they won't extend the deadline again, but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, so we changed the date.”
> > Nothing that Debian does alone will have any measurable impact
> > on TLS 1.0 usage.
> I think you're wrong on this point, having Debian make this change makes
> it a lot easier for me to go to company management and explain that TLS
> v1.2 is the only way forward and that we need to spend engineering
> resources to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.  «We need to do this because this change is coming, whether we
> want it or not.»

Businesses assess risk on every level as part of operating a business. If
replacing Debian is cheaper than replacing whatever requires TLS 1.0,
some companies will absolutely choose the former.

It may not be wise to make business people choose between Debian and