Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?

Hi Jonas!

On Sun, 20 Aug 2017, Jonas Smedegaard wrote:

> I believe noone in this thread disagree with _recommending_ only TLS 1.2 
> and that no services _should_ use anything else.

Yes and no. This discussion is not wether _we_ want to use the new
versions but wether the user wants to.
And if you are using Debian within a company, there are usually rules
like "it has to be the best experience for the customer" or so which
would say enable everything and don't care about security.
But if you have a company who wants to be state of the art in terms of
security - and this doesn't mean from the technical point of view but
from a management point of view, then you read such guidelines and
take their recommendations seriously. Not because it is technically
good but because some organisation wants to have it in their
management language.
These guidelines help you make your point valid for the management.

> Question is if Debian _force_ only TLS 1.2 so that no services _can_ use 
> anything else.

IMHO we should have the default at TLS 1.2, but be able to configure
1.0. But this has to be an opt-in value, not an opt-out.

best regards, Hanno Wagner
|  Hanno Wagner  | Member of the HTML Writers Guild  | Rince@IRC      |
| Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
| 74 a3 53 cc 0b 19 - we did it!          |    Generation @           |
#"Das liegt wohl daran, dass du bei DOS "limit memory to lower 1MB" 
# eingestellt hast (wie alle Leute)." -- Gerhard Wesp in de.comp.os.linux

Attachment: signature.asc
Description: PGP signature