openssl/libssl1 in Debian now blocks offlineimap?

[Kurt Roeckx]

On Tue, Aug 15, 2017 at 10:49:05PM +0900, Norbert Preining wrote:
> Hi Kurt,
> 
> I read your announcement on d-d-a, but due to moving places
> I couldn't answer.
> 
> I consider the unconditional deprecation of TLS 1.0 and 1.1
> a very wrong move.
> 
> Be strict with what you are sending out, but relaxed with what
> you receive.

https://tools.ietf.org/html/draft-thomson-postel-was-wrong-01

Also, if I would be strict in what I'm sending out, I would not
support TLS 1.0 and 1.1 for outgoing connections, only for incomming
connections? For the offlineimap case that would still be a
problem.

TLS doesn't actually work this way, but it's my best guess to
what you mean.

> This paradigm is hurt by this move and our users at Debian are hurt.
> In many cases they will not have a way to force the mail server to
> upgrade, and thus are bound to *not* reading emails or using docker/downgrading/
> home-compiled solutions, which is the worst we can wish for.
> 
> Do you really think that big companies like cable provides give a 
> **** about what Debian deprecates?  I was personally fighting with similar 
> problems in Firefox and the internal side at my university.

My problem is that if we don't do something, TLS 1.0 will be used
for an other 10 year, and that's just not acceptable. So I would
like to do something so that hopefully by the time Buster releases
you can disable TLS 1.0 by default, and that almost no users would
need to enable it again.

Having TLS 1.0 (and 1.1) enabled by default itself is not a
problem, it's actually using it that's a problem. There are
clearly still too many that don't support TLS 1.2, but it's
getting better.

Disabling the protocols is the only way I know how to identify
all the problems. And I would like to encourage everybody to
contact the other side if things break and get them to upgrade.


Kurt