[Pkg-openssl-devel] Bug#875423: openssl: Please re-enable TLS 1.0 and TLS 1.1 (at least in testing)

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sun Sep 24 20:21:31 UTC 2017 

On 2017-09-22 11:12:52 [+0200], Raphael Hertzog wrote:
> Hi,
> 
> On Thu, 21 Sep 2017, Sebastian Andrzej Siewior wrote:
> > The changes Kurt asked about is something that openssl upstream supports
> > and is something that openssl 1.1 considers the right way of doing
> > things (in contrast to the disable TLS-version X thingy which are marked
> > deprecated or going to…).
> 
> Why has it been implemented as a Debian specific patch then?

There is nothing Debian specific, except for build options used and the
patches are upstream as far as I recall.

> I don't think that upstream planned to deprecate TLS 1.0 and TLS 1.1
> at this point yet. Yes, there are methods to control which TLS versions
> you accept to use but those are optional and the default is to accept
> all TLS versions and this default effectively changed in Debian, forcing
> all applications to add code to re-enable all TLS versions.

fastly plans to disable TLS <1.2 on June 30 2018 as per PCI SSC:
  https://www.fastly.com/blog/update-our-tls-10-and-11-deprecation-plan/

which is the extended deadline:
  https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

and Buster should be around mid-end 2019.

> > So what problems do those users see? If the package lacks 1.2 support
> > then it should be reported & fixed. If the package requries <1.2 support
> > because the remote side can't be changed then this should reported and
> > patched as well.
> 
> I think the discussions has been rather clear on the fact that the remote
> side is not always patchable (old android versions which are not
> getting updates, etc.).

and for those things where you can not update and you *want* run unpached
software and need TLS1.0 you can patch/add a switch the software in Debian to
allow TLS < 1.2 but not by default.

> > since it is unlikely that things change here. Also it is unwise to make
> > such a change two days before the release of Buster. *Now* we have the
> > time to act.
> 
> buster should not ship with TLS 1.0 and TLS 1.1 disabled.

It is not entirely disabled you just need to add a swtich (if not yet done) to
enable TLS 1.[01] on purpose. We talk here about 2019. We already have 3des
and RC4 disabled which is something you would not expect after the Jessie
release.

> Cheers,

Sebastian

More information about the Pkg-openssl-devel mailing list