[Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

[Raphael Hertzog]

Hi,

On Thu, 21 Sep 2017, Sebastian Andrzej Siewior wrote:
> The changes Kurt asked about is something that openssl upstream supports
> and is something that openssl 1.1 considers the right way of doing
> things (in contrast to the disable TLS-version X thingy which are marked
> deprecated or going to…).

Why has it been implemented as a Debian specific patch then?

I don't think that upstream planned to deprecate TLS 1.0 and TLS 1.1
at this point yet. Yes, there are methods to control which TLS versions
you accept to use but those are optional and the default is to accept
all TLS versions and this default effectively changed in Debian, forcing
all applications to add code to re-enable all TLS versions.

> So what problems do those users see? If the package lacks 1.2 support
> then it should be reported & fixed. If the package requries <1.2 support
> because the remote side can't be changed then this should reported and
> patched as well.

I think the discussions has been rather clear on the fact that the remote
side is not always patchable (old android versions which are not
getting updates, etc.).

> since it is unlikely that things change here. Also it is unwise to make
> such a change two days before the release of Buster. *Now* we have the
> time to act.

buster should not ship with TLS 1.0 and TLS 1.1 disabled.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/