[Freedombox-pkg-team] Bug#914931: [Pkg-openssl-devel] Bug#914931: pagekite: Fail to connect to pagekite.me services with openssl installed

Bjarni Runar Einarsson bre at pagekite.net
Thu Nov 29 02:10:34 GMT 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello!

Thanks Petter, for reporting this and helping me debug it today.
I can confirm that just allowing TLSv1 would allow connections to
the existing PageKite infrastructure. Upgrading the server in
question is increasingly becoming a priority for me, I hope to
get this sorted out relatively soon. But this is certainly going
to be an issue for others as well.

The idea that any user of the next version of Debian will be
unable to connect to anything using TLSv1 or TLSv1.1, strikes me
as a bit excessive. These protocols have issues, but AFAIK they
are NOT so broken as to require blacklisting. Please correct me
if I'm wrong.

These defaults would make sense on web servers, where we know the
mainstream clients are updated and patched promptly - but Debian
is used in many other environments, for many other tasks where
that is simply not the case. Debian users are NOT always in a
position to force upgrades upon all the systems they need to
communicate with.

So I strongly urge you to reconsider this policy. Is it really
necessary? Do the security benefits justify the breakage? If
security were the only concern, we'd all just switch our
computers off and unplug them. There has to be a balance.


Responding to the comments above re SSLv3: given the choice
between supporting SSLv3 and falling back to plain-text, I'll
choose to support SSLv3 any day. Due to some legacy clients, that
was my reality. The idea that everyone should just upgrade
everything is a luxury not afforded to people who are supporting
diverse hardware in the field - and for better or worse, PageKite
was embedded in devices that could not easily be upgraded.

I am hoping there are few enough of them left in the wild that I
can drop SSLv3 entirely, and soon - because given current Debian
policies, I'm now being forced to choose between supporting them
and supporting Debian. I'll probably choose Debian, but it won't
be without a fair bit of cursing and frustration...

The need to support legacy devices was actually one of the main
reasons of why I haven't upgraded that server: at some point
Debian chose to remove SSLv3 support from OpenSSL at compile
time, thus preventing me from upgrading, and forcing me to keep a
bunch of my servers at obsolete versions of Debian. So, I don't
have support for TLSv1.2 on that machine (and a few others),
because maintainers of this package forced me to choose one or
the other (maintaining my own forked OpenSSL packages was more
work than I could reasonably handle). I do wish this had been
handled differently, and I'm very glad this time it's just a
config file!


That said.... thanks for all your hard work on this!

I know everyone's doing their best, even though I rather strongly
disagree with some of your choices. Thanks for reading! :-)

- -- 
PageKite.net lets your personal computer be part of the web

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEETBSz4pzXkOHlSFMhjgA3FgDPlJEFAlv/SogACgkQjgA3FgDP
lJHPDgf/fO6nKz3BQAa5E82BpCbsasRpu3mOWD0IIbPhjYG54GLmgKgzzgnV2K7l
fNgIiCSxigt/JMxt8u0dADYdprM4Nk+ihN7BHrz1P7SOXGdIKWkiZw9Ddmrg7GtM
UcGl9lwBvDWPKILz7Ug1EH5QP66AhIi4M1WLlHoq8w9z53U+aOvZnLANO4O4mK1T
4CO2DH2nD0GWmLi9YmFNTxCtlTByJgaZ4dMbwFHbGd6H0yORspbOc7i3REcULWvG
9S00Zve9Lsm4rH9XKMPdPSxyxHeEdYdKOPfLczU7rOz6rVynL3sdCt0KAfeUIQAu
ceIFLBRMiZSzba0En3+ZdPUbrzvfwA==
=cLaF
-----END PGP SIGNATURE-----


More information about the Freedombox-pkg-team mailing list