[Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Thu Sep 21 19:53:48 UTC 2017 

On 2017-09-11 12:30:30 [+0200], Raphael Hertzog wrote:
> Yes, I'm aware of that but Kurt never said that he would be willing to
> back off from completely disabling it before the buster release and
> I don't see any benefit in modifying all server applications to re-enable
> the protocols that we want to support out-of-the box because there 
> are (outside of Debian) old applications that will have to connect to
> those servers.

My understanding is that it will stay as-is and every package that needs
TLS < 1.2 needs to add an option and the metioned function to use the
lower TLS version.
The changes Kurt asked about is something that openssl upstream supports
and is something that openssl 1.1 considers the right way of doing
things (in contrast to the disable TLS-version X thingy which are marked
deprecated or going to…).

> I understand we need to fix the client applications that we ship in Debian
> so that they work with TLS 1.2-only servers and for this it might be
> useful to disable TLS 1.0 and TLS 1.1 by default in unstable for a while.

as I said, TLS 1.[01] is supported in unstable if the
*set_min_proto_version() is used. I think in the meantime offline imap
has been fixed and I sent something for dovecot (but know about its
status).

> But in Debian testing, we have real end-users (direct and through
> "rolling" derivatives) and they should not have to be impacted by this
> experiment IMO.

So what problems do those users see? If the package lacks 1.2 support
then it should be reported & fixed. If the package requries <1.2 support
because the remote side can't be changed then this should reported and
patched as well.
Feel free to Cc the list so I can look and maybe make a patch if I have
some spare time. I personaly don't see a reason to keep this bug open
since it is unlikely that things change here. Also it is unwise to make
such a change two days before the release of Buster. *Now* we have the
time to act.

> Cheers,

Sebastian

More information about the Pkg-openssl-devel mailing list