[Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Mon Sep 11 09:33:22 UTC 2017

Source: openssl
Version: 1.1.0f-5
Severity: serious

Hello Kurt,

I looked back at the debian-devel discussion and it seems to me that
the majority of persons who expressed themselves (including Moritz Mühlenhoff
of the Debian security team) believe that buster should ship with TLS 1.0
and TLS 1.1 enabled.

Given this, I would like to request you to make sure that Debian testing
has a version of openssl with TLS 1.0 and TLS 1.1 enabled.

The rough consensus seems to be that it's ok for you to use Debian
unstable as a test-bed for your experiment to disable TLS 1.0 and TLS 1.1.

While that might not be practical to manage when you have to push an
update to testing, it's a burden that you should accept since you
believe that Debian experimental will not give enough exposure.

Please do listen to your fellow developers. Thank you.

Cheers,

PS: I'm filing this because I would like to not have to fork OpenSSL
for Kali. It's counter-productive to go too fast in deprecating old
protocols. You will only get less users using the official Debian
package with all the risks it involves.

Or at least I would like a system-wide flag (in a configuration file?) to
let me re-enable old protocols easily.

-- System Information:
Debian Release: buster/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- no debconf information