On Tue, 2024-08-06 at 05:02 -0400, Neil Horman wrote:
> The current proposal under consideration is to explicitly disable TLS > 1.0/1.1 at build time, in our 4.0 release (tentatively scheduled to > release in the next 12-18 months), with an eye to completely remove > the impacted code in a future major release. The default > configuration could be overridden to re-enable TLS 1.0/1.1 at build > time. > > Questions to the community are: > > 1) Are distributions/users comfortable with this approach in the time > frame proposed? I lead a quite unusual application (BMC Discovery), which is an IT discovery tool. Its purpose is to connect to everything it can in an IT environment and interrogate it, to find out what it is, and what it is doing. We would all agree that everything ought to be using modern TLS versions and encryption algorithms, but the reality is that we encounter many ancient systems that are using old protocols. It is important to us that we can connect to things even if they are now considered insecure, not least because that way we can report that they _are_ old and insecure. Obviously this is quite an unusual use of OpenSSL, but I think it is a good use case for retaining these old algorithms for as long as possible, even if they are disabled by default. If new OpenSSL versions drop support for older protocols, we will have to start using multiple versions, so we can use old OpenSSL versions for old discovery targets. Regards, Duncan Grisby. -- Duncan Grisby <dun...@grisby.org>
