-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/30/13 9:17 AM, Dave Cridland wrote: > Tomasz Sterna wrote: > > Dnia 2013-10-30, ?ro o godzinie 15:58 +0100, Thijs Alkemade pisze: > >>> And discouraging TLSv1 in favor of TLSv1.2 when latest OpenSSL > does not > >>> even support TLSv1.1 nor v1.2 is a pie-in-the-sky. > >> > >> OpenSSL supports TLS 1.2 since 1.0.1 (and I think TLS 1.1 since > the same > >> version), released March 14th, 2012. > > > > Doh. You're right. > > The docs I've been looking at are heavily outdated, > > > > Welcome to OpenSSL development. > > > > That said, the discussion in j...@conference.jabber.org enlightened > me that on Ubuntu, they've disabled TLSv1.2 because of a couple of > load balancers.
Do you have more detailed information about that? https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/ says MUST prefer TLS 1.2, MAY negotiate TLS 1.1, SHOULD NOT negotiate TLS 1.0, MUST NOT negotiate SSLv3 or SSLv2. The previous release of the document said "MAY negotiate TLS 1.0". I still think SHOULD NOT is better for TLS 1.0, but I think it would be good to explain why it's not a great idea and also the legitimate reasons why one would negotiate TLS 1.0 (e.g., if TLS 1.1 and TLS 1.2 are not available). I'm not trying to be pie-in-the-sky, but I'm also trying to set some more aggressive goals than export-level ciphers, unauthenticated connections, no forward secrecy, and other weak technologies. We can do better than that! Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJScTX4AAoJEOoGpJErxa2pfQkP/2eOpJP0EpvqtE0T/+C+WuuL 5IXzmKpxS1YpJ5VeaPKqlPFscz0GWSKARFOJ3H8RlY5eZkHRVw4Kf7cdr+U5vBbZ pO0S9opHwLRrW2dg9yppRGK0IzdkmHOH89O4HX6L04+Zb3bdqRXg2q7kgDVMLI30 ltIJ+3xl+C/7hRqQwXXzpuJQg+aJNnM5Gc3KlZMpYYU77ZrfcXLeqOdrXUO121u6 HFnGdKKRfRJJPT9E4vsEomyfI5HAIrvMfFTRfTsi1Zrl+MDOEPBYp3feWjm9BPiy dbosPySo4dU1Am0V2gWCskgM+xEsyuNG6nyFqFT2LauI7gDeLFke/Sf0WRSsp2zQ UM39cAiN2ebiH+LolcrQoIbbUwwGHxVjzCQ2whTSsxqmOsSSfzf6MvR3qt+T8/xx Mx/avkyAZIjnF4lbPEs7+FfszENc5mCtg6U0nk0LCxxFRg3bMoeo0v1hGktBa+aA qSk0BSk8yjYimWKcOOJyUkOau/Wzkq4ykkhIc8zMpdPtWACILb9T5W5lMYkTUebo uWLLm26Gp/tJXi1C/8b7r/0bkJkIfFSEgsVM//+x36QYzkbMEMJ3gn5YCremrGMM ntlLX0PNNAiToqgzOlK9LYEcdrFd5rMHB/UUpA2Fh0ACDBphBpZdUnJmin3vY3fl IBF9Uko7ErTlX0qfxGq8 =ri2/ -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________