Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ff992a659e09160cb6609c611245fb480a5004ab.camel@grisby.org>
Date: Wed, 07 Aug 2024 23:58:40 +0100
From: Duncan Grisby <duncan@...sby.org>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation of TLS
 1.0/1.1

On Tue, 2024-08-06 at 05:02 -0400, Neil Horman wrote:


> The current proposal under consideration is to explicitly disable TLS
> 1.0/1.1 at build time, in our 4.0 release (tentatively scheduled to
> release in the next 12-18 months), with an eye to completely remove
> the impacted code in a future major release.  The default
> configuration could be overridden to re-enable TLS 1.0/1.1 at build
> time.
> 
> Questions to the community are:
> 
> 1) Are distributions/users comfortable with this approach in the time
> frame proposed?

I lead a quite unusual application (BMC Discovery), which is an IT
discovery tool. Its purpose is to connect to everything it can in an IT
environment and interrogate it, to find out what it is, and what it is
doing.

We would all agree that everything ought to be using modern TLS
versions and encryption algorithms, but the reality is that we
encounter many ancient systems that are using old protocols. It is
important to us that we can connect to things even if they are now
considered insecure, not least because that way we can report that they
_are_ old and insecure.

Obviously this is quite an unusual use of OpenSSL, but I think it is a
good use case for retaining these old algorithms for as long as
possible, even if they are disabled by default. If new OpenSSL versions
drop support for older protocols, we will have to start using multiple
versions, so we can use old OpenSSL versions for old discovery targets.

Regards,

Duncan Grisby.

-- 
Duncan Grisby <duncan@...sby.org>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.