Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




Quoting Hanno Rince' Wagner (2017-08-20 22:01:51)
> On Fri, 18 Aug 2017, Tollef Fog Heen wrote:
> 
> > I think you're wrong on this point, having Debian make this change makes
> > it a lot easier for me to go to company management and explain that TLS
> > v1.2 is the only way forward and that we need to spend engineering
> > resources to make sure any users on platforms where support for that is
> > lacking get a proper notification and a chance to move to something
> > newer.  «We need to do this because this change is coming, whether we
> > want it or not.»
> 
> If you need more "firepower" for management: The BSI (german
> governmental organisation for security in information technology) has
> guidelines regarding cryptography, see 
> 
> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf
> 
> They say in their technical guidelines that TLS 1.1 is not recommended
> anymore and TLS 1.0 is not recommended at all.
> SSLv2 and SSLv3 are not recommended.
> 
> So, if managers want to have somewhere "officially" written that
> TLS1.0 and 1.1 shouldn't be used anymore, this is a guideline I can
> recommend.
> 
> And IMHO we as debian should support all people going for stronger
> encryption by enabling it as good as possible and make it default. If
> someone wants or needs to use older ciphers, he should be able to, but
> it shouldn't be default...

I believe noone in this thread disagree with _recommending_ only TLS 1.2 
and that no services _should_ use anything else.

Question is if Debian _force_ only TLS 1.2 so that no services _can_ use 
anything else.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature