Re: openssl/libssl1 in Debian now blocks offlineimap?

Excerpts from Adam Borowski's message of 2017-08-24 22:10:40 +0200: > On Thu, Aug 24, 2017 at 01:45:02PM +, Bernhard Schmidt wrote: > > The point was, even if all Debian based MTAs disabled > > TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of > > senders won't fix their

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Thu, Aug 24, 2017 at 01:45:02PM +, Bernhard Schmidt wrote: > The point was, even if all Debian based MTAs disabled > TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of > senders won't fix their servers. They simply won't give a damn. Unless > Google and Microsoft do the

Re: openssl/libssl1 in Debian now blocks offlineimap?

Scott Kitterman wrote: > > > On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt wrote: >>Kurt Roeckx wrote: >> >>> Disabling the protocols is the only way I know how to identify >>> all the problems. And I would like to encourage

Re: openssl/libssl1 in Debian now blocks offlineimap?

On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt wrote: >Kurt Roeckx wrote: > >> Disabling the protocols is the only way I know how to identify >> all the problems. And I would like to encourage everybody to >> contact the other side if things break and get

Re: openssl/libssl1 in Debian now blocks offlineimap?

Kurt Roeckx wrote: > Disabling the protocols is the only way I know how to identify > all the problems. And I would like to encourage everybody to > contact the other side if things break and get them to upgrade. There is now #873065 on Postfix which suggests MTAs don't fall

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Sun, Aug 20, 2017 at 11:03:33PM +0200, Hanno Rince' Wagner wrote: > Hi Jonas! > > Question is if Debian _force_ only TLS 1.2 so that no services _can_ use > > anything else. > > IMHO we should have the default at TLS 1.2, but be able to configure > 1.0. But this has to be an opt-in value, not

Re: openssl/libssl1 in Debian now blocks offlineimap?

Quoting Hanno Rince' Wagner (2017-08-20 22:01:51) > On Fri, 18 Aug 2017, Tollef Fog Heen wrote: > > > I think you're wrong on this point, having Debian make this change makes > > it a lot easier for me to go to company management and explain that TLS > > v1.2 is the only way forward and that we

Re: openssl/libssl1 in Debian now blocks offlineimap?

> pretty poor choice. Providing people with the possibility to fall back > to less secure solutions sounds like a much better choice, just like Problem is, where is this possibility right now? Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote: > Arguing for keeping TLS 1.0 support means you're arguing for providing > users with a default-insecure setup. No. Arguing for keeping TLS1.0 *enabled by default* does. But arguing for *allowing* it to be re-enabled (without

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk >... > > Think of the "TLS 1.2 not working with WPA" discussed earlier here that > > might still affect half a billion active Android devices at the buster > > release date.[1] > > > > The online banking app

Re: openssl/libssl1 in Debian now blocks offlineimap?

]] Adrian Bunk > On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote: > > ]] Adrian Bunk > >... > > The PCI consortium extended the deadline until June > > 2018. Assuming that deadline holds, people with older machines will not > > be able to access services such as online banking

Re: openssl/libssl1 in Debian now blocks offlineimap?

Adrian Bunk wrote: > [1] I haven't investigated how widespread this specific problem > actually is, or whether it can be mitigated - the point is that > it is unrelated to TLS versions supported by PayPal or online > banking apps running on the device I asked on

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk >... > The PCI consortium extended the deadline until June > 2018. Assuming that deadline holds, people with older machines will not > be able to access services such as online banking or pay online in > general.

Re: openssl/libssl1 in Debian now blocks offlineimap?

Excerpts from Tollef Fog Heen's message of 2017-08-18 22:07:49 +0200: > ]] Adrian Bunk > > > Or did this start as a coordinated effort of several major Linux > > distributions covering all TLS implementations? > > While not speaking for Kurt, there's been a move towards getting rid of > TLS <

Re: openssl/libssl1 in Debian now blocks offlineimap?

]] Adrian Bunk > Or did this start as a coordinated effort of several major Linux > distributions covering all TLS implementations? While not speaking for Kurt, there's been a move towards getting rid of TLS < 1.2 for quite some time, by reasonably important players such as the PCI-DSS

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote: > My problem is that if we don't do something, TLS 1.0 will be used > for an other 10 year, and that's just not acceptable. My problem is that the cause you're fighting, while laudable, should not be fought in Debian. Debian is a

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote: > My problem is that if we don't do something, TLS 1.0 will be used > for an other 10 year, and that's just not acceptable. The usage of TLS in the wild does not rely on you. Neither its does to Debian, IMHO. Now, when talking about

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Tue, Aug 15, 2017 at 10:43:08AM -0700, Michael Lustfield wrote: > I don't think it was answered... Is there an actual reason that this needs > to be handled urgently? Is TLSv1.0/v1.1 considered broken? Yes. Kurt

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Aug 15, 2017 08:05, "Kurt Roeckx" wrote: > Do you really think that big companies like cable provides give a > about what Debian deprecates? I was personally fighting with similar > problems in Firefox and the internal side at my university. My problem is that if we

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote: > On Tue, Aug 15, 2017 at 10:49:05PM +0900, Norbert Preining wrote: >... > > Do you really think that big companies like cable provides give a > > about what Debian deprecates? I was personally fighting with similar > > problems

Re: openssl/libssl1 in Debian now blocks offlineimap?

Kurt Roeckx writes: [...] > > Disabling the protocols is the only way I know how to identify > all the problems. And I would like to encourage everybody to > contact the other side if things break and get them to upgrade. And who pay for new windows licenses (And I do not know

Re: openssl/libssl1 in Debian now blocks offlineimap?

> Disabling the protocols is the only way I know how to identify > all the problems. And I would like to encourage everybody to > contact the other side if things break and get them to upgrade. So you make the decision that everyone should talk to their providers etc.? I can actually understand

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Tue, Aug 15, 2017 at 10:49:05PM +0900, Norbert Preining wrote: > Hi Kurt, > > I read your announcement on d-d-a, but due to moving places > I couldn't answer. > > I consider the unconditional deprecation of TLS 1.0 and 1.1 > a very wrong move. > > Be strict with what you are sending out, but

Re: openssl/libssl1 in Debian now blocks offlineimap?

Hi Kurt, I read your announcement on d-d-a, but due to moving places I couldn't answer. I consider the unconditional deprecation of TLS 1.0 and 1.1 a very wrong move. Be strict with what you are sending out, but relaxed with what you receive. This paradigm is hurt by this move and our users at