subject:"Bug#875423\: \[Pkg\-openssl\-devel\] Bug#875423\: openssl\: Please re\-enable TLS 1.0 and TLS 1.1 \(at least in testing\)"

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2018-07-09 Thread Philippe Metzger


On Thu, 26 Oct 2017 09:57:06 +0200 Raphael Hertzog wrote:
> Hello Kurt,
>
> On Fri, 22 Sep 2017, Kurt Roeckx wrote:
> > I have to admit that I didn't consider derivatives that take a
> > snapshot of testing, and we also seem to have a large amount of
> > people that do use testing. My intention was to target the more
> > advanced users, and having it in testing might be affecting more
> > people than I thought.
> >
> > So I am considering to only disable it in unstable and not in
> > testing.
>
> Any progress on this?
>
> Cheers,
> --
> R aphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: https://www.freexian.com/services/debian-lts.html
> Learn to master Debian: https://debian-handbook.info/get/
>

>

For now it seems that OpenSSL 1.1.0f-3+deb9u2 available in 
stretch/security force TLS 1.2 only in https when using Apache (whatever 
SSLProtocol Directive specify).


Is there any way to allow TLS 1 and TLS 1.1 with apache in stable ?

Thanks a lot

--

*Philippe Metzger*
+33 6 12 90 60 97 / +33 1 82 28 56 95

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-10-26 Thread Raphael Hertzog

Hello Kurt,

On Fri, 22 Sep 2017, Kurt Roeckx wrote:
> I have to admit that I didn't consider derivatives that take a
> snapshot of testing, and we also seem to have a large amount of
> people that do use testing. My intention was to target the more
> advanced users, and having it in testing might be affecting more
> people than I thought.
> 
> So I am considering to only disable it in unstable and not in
> testing.

Any progress on this?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-09-30 Thread Guido Günther

Hi,
On Fri, Sep 22, 2017 at 12:21:26AM +0200, Kurt Roeckx wrote:
> On Mon, Sep 11, 2017 at 12:30:30PM +0200, Raphael Hertzog wrote:
> > But in Debian testing, we have real end-users (direct and through
> > "rolling" derivatives) and they should not have to be impacted by this
> > experiment IMO.
> 
> I have to admit that I didn't consider derivatives that take a
> snapshot of testing, and we also seem to have a large amount of
> people that do use testing. My intention was to target the more
> advanced users, and having it in testing might be affecting more
> people than I thought.
> 
> So I am considering to only disable it in unstable and not in
> testing.

Please do. At least having it in unstable will allow us to use pinning
so one can again talk to not up to date services (which there are plenty
of).

Cheers,
 -- Guido

> 
> I'm actually surprised how few things broke.
> 
> 
> Kurt

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-09-23 Thread James Cloos

> "KR" == Kurt Roeckx  writes:

KR> On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote:
>> Or at least I would like a system-wide flag (in a configuration file?) to
>> let me re-enable old protocols easily.

KR> It was my understanding that other people also prefered to do this
KR> on a per package level and not system wide.

But the other way round.

Openssl should by default support >= 1.0, and the individual packages
should be the ones to limit it to 1.2 or later.

That limit should be run-time and the config files which do it should
have comments explaining exactly how to undo it.

And packages like MTAs and web servers should have those configs
commented out so that they work by default with 1.0+.

-JimC
-- 
James Cloos  OpenPGP: 0x997A9F17ED7DAEA6

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-09-22 Thread Raphael Hertzog

Hi Kurt,

On Fri, 22 Sep 2017, Kurt Roeckx wrote:
> I have to admit that I didn't consider derivatives that take a
> snapshot of testing, and we also seem to have a large amount of
> people that do use testing. My intention was to target the more
> advanced users, and having it in testing might be affecting more
> people than I thought.
> 
> So I am considering to only disable it in unstable and not in
> testing.

Thank you!

> I'm actually surprised how few things broke.

When an app outside of Debian breaks when trying to connect to a
service running on a Debian machine, it's unlikely that said users
will report it back to Debian... it's a long chain.

Also servers will run stable and the large impact will only be noticeable
once this reaches stable.

On Fri, 22 Sep 2017, Kurt Roeckx wrote:
> On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote:
> > Or at least I would like a system-wide flag (in a configuration file?) to
> > let me re-enable old protocols easily.
> 
> It was my understanding that other people also prefered to do this
> on a per package level and not system wide.

I don't see why this would be mutually exclusive. We should be able to
control the system-wide default and override the values for specific
services too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-09-21 Thread Kurt Roeckx

On Mon, Sep 11, 2017 at 12:30:30PM +0200, Raphael Hertzog wrote:
> But in Debian testing, we have real end-users (direct and through
> "rolling" derivatives) and they should not have to be impacted by this
> experiment IMO.

I have to admit that I didn't consider derivatives that take a
snapshot of testing, and we also seem to have a large amount of
people that do use testing. My intention was to target the more
advanced users, and having it in testing might be affecting more
people than I thought.

So I am considering to only disable it in unstable and not in
testing.

I'm actually surprised how few things broke.

Kurt

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

2017-09-21 Thread Kurt Roeckx

On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote:
> Or at least I would like a system-wide flag (in a configuration file?) to
> let me re-enable old protocols easily.

It was my understanding that other people also prefered to do this
on a per package level and not system wide.

Kurt

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

7 matches

Site Navigation

Mail list logo

Footer information