Excerpts from Adam Borowski's message of 2017-08-24 22:10:40 +0200:
> On Thu, Aug 24, 2017 at 01:45:02PM +, Bernhard Schmidt wrote:
> > The point was, even if all Debian based MTAs disabled
> > TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of
> > senders won't fix their
On Thu, Aug 24, 2017 at 01:45:02PM +, Bernhard Schmidt wrote:
> The point was, even if all Debian based MTAs disabled
> TLSv1.0/TLSv1.1 leading to delivery issues a very large portion of
> senders won't fix their servers. They simply won't give a damn. Unless
> Google and Microsoft do the
Scott Kitterman wrote:
>
>
> On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt wrote:
>>Kurt Roeckx wrote:
>>
>>> Disabling the protocols is the only way I know how to identify
>>> all the problems. And I would like to encourage
On August 24, 2017 8:05:20 AM EDT, Bernhard Schmidt wrote:
>Kurt Roeckx wrote:
>
>> Disabling the protocols is the only way I know how to identify
>> all the problems. And I would like to encourage everybody to
>> contact the other side if things break and get
Kurt Roeckx wrote:
> Disabling the protocols is the only way I know how to identify
> all the problems. And I would like to encourage everybody to
> contact the other side if things break and get them to upgrade.
There is now #873065 on Postfix which suggests MTAs don't fall
On Sun, Aug 20, 2017 at 11:03:33PM +0200, Hanno Rince' Wagner wrote:
> Hi Jonas!
> > Question is if Debian _force_ only TLS 1.2 so that no services _can_ use
> > anything else.
>
> IMHO we should have the default at TLS 1.2, but be able to configure
> 1.0. But this has to be an opt-in value, not
Quoting Hanno Rince' Wagner (2017-08-20 22:01:51)
> On Fri, 18 Aug 2017, Tollef Fog Heen wrote:
>
> > I think you're wrong on this point, having Debian make this change makes
> > it a lot easier for me to go to company management and explain that TLS
> > v1.2 is the only way forward and that we
> pretty poor choice. Providing people with the possibility to fall back
> to less secure solutions sounds like a much better choice, just like
Problem is, where is this possibility right now?
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Meskes
On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote:
> Arguing for keeping TLS 1.0 support means you're arguing for providing
> users with a default-insecure setup.
No.
Arguing for keeping TLS1.0 *enabled by default* does. But arguing for
*allowing* it to be re-enabled (without
On Sun, Aug 20, 2017 at 01:51:16PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk
>...
> > Think of the "TLS 1.2 not working with WPA" discussed earlier here that
> > might still affect half a billion active Android devices at the buster
> > release date.[1]
> >
> > The online banking app
]] Adrian Bunk
> On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> > ]] Adrian Bunk
> >...
> > The PCI consortium extended the deadline until June
> > 2018. Assuming that deadline holds, people with older machines will not
> > be able to access services such as online banking
Adrian Bunk wrote:
> [1] I haven't investigated how widespread this specific problem
> actually is, or whether it can be mitigated - the point is that
> it is unrelated to TLS versions supported by PayPal or online
> banking apps running on the device
I asked on
On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk
>...
> The PCI consortium extended the deadline until June
> 2018. Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.
Excerpts from Tollef Fog Heen's message of 2017-08-18 22:07:49 +0200:
> ]] Adrian Bunk
>
> > Or did this start as a coordinated effort of several major Linux
> > distributions covering all TLS implementations?
>
> While not speaking for Kurt, there's been a move towards getting rid of
> TLS <
]] Adrian Bunk
> Or did this start as a coordinated effort of several major Linux
> distributions covering all TLS implementations?
While not speaking for Kurt, there's been a move towards getting rid of
TLS < 1.2 for quite some time, by reasonably important players such as
the PCI-DSS
On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote:
> My problem is that if we don't do something, TLS 1.0 will be used
> for an other 10 year, and that's just not acceptable.
My problem is that the cause you're fighting, while laudable, should not
be fought in Debian.
Debian is a
On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote:
> My problem is that if we don't do something, TLS 1.0 will be used
> for an other 10 year, and that's just not acceptable.
The usage of TLS in the wild does not rely on you. Neither its does to
Debian, IMHO.
Now, when talking about
On Tue, Aug 15, 2017 at 10:43:08AM -0700, Michael Lustfield wrote:
> I don't think it was answered... Is there an actual reason that this needs
> to be handled urgently? Is TLSv1.0/v1.1 considered broken?
Yes.
Kurt
On Aug 15, 2017 08:05, "Kurt Roeckx" wrote:
> Do you really think that big companies like cable provides give a
> about what Debian deprecates? I was personally fighting with similar
> problems in Firefox and the internal side at my university.
My problem is that if we
On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote:
> On Tue, Aug 15, 2017 at 10:49:05PM +0900, Norbert Preining wrote:
>...
> > Do you really think that big companies like cable provides give a
> > about what Debian deprecates? I was personally fighting with similar
> > problems
Kurt Roeckx writes:
[...]
>
> Disabling the protocols is the only way I know how to identify
> all the problems. And I would like to encourage everybody to
> contact the other side if things break and get them to upgrade.
And who pay for new windows licenses (And I do not know
> Disabling the protocols is the only way I know how to identify
> all the problems. And I would like to encourage everybody to
> contact the other side if things break and get them to upgrade.
So you make the decision that everyone should talk to their providers
etc.? I can actually understand
On Tue, Aug 15, 2017 at 10:49:05PM +0900, Norbert Preining wrote:
> Hi Kurt,
>
> I read your announcement on d-d-a, but due to moving places
> I couldn't answer.
>
> I consider the unconditional deprecation of TLS 1.0 and 1.1
> a very wrong move.
>
> Be strict with what you are sending out, but
Hi Kurt,
I read your announcement on d-d-a, but due to moving places
I couldn't answer.
I consider the unconditional deprecation of TLS 1.0 and 1.1
a very wrong move.
Be strict with what you are sending out, but relaxed with what
you receive.
This paradigm is hurt by this move and our users at
24 matches
Mail list logo