Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZrPtYKhe5AtS5XcT@itl-email>
Date: Wed, 7 Aug 2024 17:55:41 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation of TLS
 1.0/1.1

On Wed, Aug 07, 2024 at 07:48:07PM +0200, Solar Designer wrote:
> Hi,
> 
> I think there are two categories of use cases that need a wide range of
> supported protocol versions:
> 
> 1. Hosting a public server that's meant to be usable by the widest
> audience possible, including from both up-to-date and older systems.
> For example, a website should display in latest web browsers, but
> command-line downloads from the same server should also work from old
> systems (e.g., running LTS distros).
> 
> 2. Scanning or crawling a wide variety of systems, e.g. by a search
> engine indexer, an asset enumeration tool, a security scanner, or during
> a pentest.
> 
> For both of these categories, it's desirable to have a maintained
> library that supports this wide range of protocol versions.  The proxy
> solution that Demi Marie Obenour advocates for isn't of enough help.  It
> could kind of work for #1, but it'd require two different end-points
> that users would need to explicitly choose between, or some other hacks.
> For #2, a workaround is to use two libraries, maybe trying the newer one
> first followed by a fallback to the older, but this may also be tricky
> (e.g., linking them into the same program might clash).

That is indeed valid, thank you.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.