Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




Hi Tollef!

On Fri, 18 Aug 2017, Tollef Fog Heen wrote:

> I think you're wrong on this point, having Debian make this change makes
> it a lot easier for me to go to company management and explain that TLS
> v1.2 is the only way forward and that we need to spend engineering
> resources to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.  «We need to do this because this change is coming, whether we
> want it or not.»

If you need more "firepower" for management: The BSI (german
governmental organisation for security in information technology) has
guidelines regarding cryptography, see 

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf

They say in their technical guidelines that TLS 1.1 is not recommended
anymore and TLS 1.0 is not recommended at all.
SSLv2 and SSLv3 are not recommended.

So, if managers want to have somewhere "officially" written that
TLS1.0 and 1.1 shouldn't be used anymore, this is a guideline I can
recommend.

And IMHO we as debian should support all people going for stronger
encryption by enabling it as good as possible and make it default. If
someone wants or needs to use older ciphers, he should be able to, but
it shouldn't be default...

best regards, Hanno
-- 
|  Hanno Wagner  | Member of the HTML Writers Guild  | Rince@IRC      |
| Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
| 74 a3 53 cc 0b 19 - we did it!          |    Generation @           |

#"Es gibt ja angeblich keine dummen Fragen (alte Lebensweisheit), aber es
# gibt auch keine Lebensweisheit, die ?berall pa?t..." 
#	-- hans@xxxxxxxxxxxxxxxx (Hans-Joachim Baader)