|
Message-ID: <CAH8yC8k01PEivvgmP7hk2mW7WTfxVohmFrF7FRr6NwkkzVUj3A@mail.gmail.com> Date: Wed, 7 Aug 2024 17:10:54 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Re: feedback requested regarding deprecation of TLS 1.0/1.1 On Wed, Aug 7, 2024 at 4:47 PM Steffen Nurpmeso <steffen@...oden.eu> wrote: > [...] > Given that most sensitive software supports easy configuration, for > example by passing through "MinProtocol" configuration settings to > *SSL (and i so much like the possibility of a "global central > OpenSSL configuration file" that bundles all relevant settings, > yet so few programs support that possibility), topics like these > always strike me as hysteria. And before the ears ring, i quickly > say "as defaults are safe". Small nit: there is no SSL or TLS min version or max version. There is a TLS record version, and a TLS protocol version. The record layer carries the protocol messages. The record version is kind of boring. It has not changed much, and I would speculate you could select TLS 1.0 and it would be the same as TLS 1.2 or TLS 1.3 (though I did not verify the claim). The TLS protocol version is much more interesting, and it is what people customarily think of when they hear TLS 1.0, TLS 1.2, and TLS 1.3. It changed a lot between TLS 1.1/TLS 1.2, and TLS 1.2/TLS 1.3. TLS record version and TLS protocol version are _not_ a range of min/max. They are discrete versions of the protocol for the underlying transport (record) and the upper protocol data units (messages). Also see <https://datatracker.ietf.org/doc/html/rfc5246#appendix-E>. It talks about how to set the various versions for maximum interoperability. Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.