On 2017-09-22 11:12:52 [+0200], Raphael Hertzog wrote: > Hi, > > On Thu, 21 Sep 2017, Sebastian Andrzej Siewior wrote: > > The changes Kurt asked about is something that openssl upstream supports > > and is something that openssl 1.1 considers the right way of doing > > things (in contrast to the disable TLS-version X thingy which are marked > > deprecated or going to…). > > Why has it been implemented as a Debian specific patch then?
There is nothing Debian specific, except for build options used and the patches are upstream as far as I recall. > I don't think that upstream planned to deprecate TLS 1.0 and TLS 1.1 > at this point yet. Yes, there are methods to control which TLS versions > you accept to use but those are optional and the default is to accept > all TLS versions and this default effectively changed in Debian, forcing > all applications to add code to re-enable all TLS versions. fastly plans to disable TLS <1.2 on June 30 2018 as per PCI SSC: https://www.fastly.com/blog/update-our-tls-10-and-11-deprecation-plan/ which is the extended deadline: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls and Buster should be around mid-end 2019. > > So what problems do those users see? If the package lacks 1.2 support > > then it should be reported & fixed. If the package requries <1.2 support > > because the remote side can't be changed then this should reported and > > patched as well. > > I think the discussions has been rather clear on the fact that the remote > side is not always patchable (old android versions which are not > getting updates, etc.). and for those things where you can not update and you *want* run unpached software and need TLS1.0 you can patch/add a switch the software in Debian to allow TLS < 1.2 but not by default. > > since it is unlikely that things change here. Also it is unwise to make > > such a change two days before the release of Buster. *Now* we have the > > time to act. > > buster should not ship with TLS 1.0 and TLS 1.1 disabled. It is not entirely disabled you just need to add a swtich (if not yet done) to enable TLS 1.[01] on purpose. We talk here about 2019. We already have 3des and RC4 disabled which is something you would not expect after the Jessie release. > Cheers, Sebastian