Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
On Thu, 26 Oct 2017 09:57:06 +0200 Raphael Hertzog wrote: > Hello Kurt, > > On Fri, 22 Sep 2017, Kurt Roeckx wrote: > > I have to admit that I didn't consider derivatives that take a > > snapshot of testing, and we also seem to have a large amount of > > people that do use testing. My intention was to target the more > > advanced users, and having it in testing might be affecting more > > people than I thought. > > > > So I am considering to only disable it in unstable and not in > > testing. > > Any progress on this? > > Cheers, > -- > R aphaël Hertzog ◈ Debian Developer > > Support Debian LTS: https://www.freexian.com/services/debian-lts.html > Learn to master Debian: https://debian-handbook.info/get/ > > For now it seems that OpenSSL 1.1.0f-3+deb9u2 available in stretch/security force TLS 1.2 only in https when using Apache (whatever SSLProtocol Directive specify). Is there any way to allow TLS 1 and TLS 1.1 with apache in stable ? Thanks a lot -- *Philippe Metzger* +33 6 12 90 60 97 / +33 1 82 28 56 95
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
Hello Kurt, On Fri, 22 Sep 2017, Kurt Roeckx wrote: > I have to admit that I didn't consider derivatives that take a > snapshot of testing, and we also seem to have a large amount of > people that do use testing. My intention was to target the more > advanced users, and having it in testing might be affecting more > people than I thought. > > So I am considering to only disable it in unstable and not in > testing. Any progress on this? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
Hi, On Fri, Sep 22, 2017 at 12:21:26AM +0200, Kurt Roeckx wrote: > On Mon, Sep 11, 2017 at 12:30:30PM +0200, Raphael Hertzog wrote: > > But in Debian testing, we have real end-users (direct and through > > "rolling" derivatives) and they should not have to be impacted by this > > experiment IMO. > > I have to admit that I didn't consider derivatives that take a > snapshot of testing, and we also seem to have a large amount of > people that do use testing. My intention was to target the more > advanced users, and having it in testing might be affecting more > people than I thought. > > So I am considering to only disable it in unstable and not in > testing. Please do. At least having it in unstable will allow us to use pinning so one can again talk to not up to date services (which there are plenty of). Cheers, -- Guido > > I'm actually surprised how few things broke. > > > Kurt
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
> "KR" == Kurt Roeckxwrites: KR> On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote: >> Or at least I would like a system-wide flag (in a configuration file?) to >> let me re-enable old protocols easily. KR> It was my understanding that other people also prefered to do this KR> on a per package level and not system wide. But the other way round. Openssl should by default support >= 1.0, and the individual packages should be the ones to limit it to 1.2 or later. That limit should be run-time and the config files which do it should have comments explaining exactly how to undo it. And packages like MTAs and web servers should have those configs commented out so that they work by default with 1.0+. -JimC -- James Cloos OpenPGP: 0x997A9F17ED7DAEA6
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
Hi Kurt, On Fri, 22 Sep 2017, Kurt Roeckx wrote: > I have to admit that I didn't consider derivatives that take a > snapshot of testing, and we also seem to have a large amount of > people that do use testing. My intention was to target the more > advanced users, and having it in testing might be affecting more > people than I thought. > > So I am considering to only disable it in unstable and not in > testing. Thank you! > I'm actually surprised how few things broke. When an app outside of Debian breaks when trying to connect to a service running on a Debian machine, it's unlikely that said users will report it back to Debian... it's a long chain. Also servers will run stable and the large impact will only be noticeable once this reaches stable. On Fri, 22 Sep 2017, Kurt Roeckx wrote: > On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote: > > Or at least I would like a system-wide flag (in a configuration file?) to > > let me re-enable old protocols easily. > > It was my understanding that other people also prefered to do this > on a per package level and not system wide. I don't see why this would be mutually exclusive. We should be able to control the system-wide default and override the values for specific services too. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
On Mon, Sep 11, 2017 at 12:30:30PM +0200, Raphael Hertzog wrote: > But in Debian testing, we have real end-users (direct and through > "rolling" derivatives) and they should not have to be impacted by this > experiment IMO. I have to admit that I didn't consider derivatives that take a snapshot of testing, and we also seem to have a large amount of people that do use testing. My intention was to target the more advanced users, and having it in testing might be affecting more people than I thought. So I am considering to only disable it in unstable and not in testing. I'm actually surprised how few things broke. Kurt
Bug#875423: [Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)
On Mon, Sep 11, 2017 at 11:33:22AM +0200, Raphaël Hertzog wrote: > Or at least I would like a system-wide flag (in a configuration file?) to > let me re-enable old protocols easily. It was my understanding that other people also prefered to do this on a per package level and not system wide. Kurt