Re: OpenSSL disables TLS 1.0 and 1.1

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL disables TLS 1.0 and 1.1
From: Russ Allbery <rra@debian.org>
Date: Fri, 11 Aug 2017 14:09:52 -0700
Message-id: <[🔎] 871soh24m7.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20170811125256.tmi265wt424hb6te@bongo.bofh.it> (Marco d'Itri's message of "Fri, 11 Aug 2017 14:52:56 +0200")
References: <20170807014238.mf64rdvgpdkpaiwa@roeckx.be> <[🔎] 8737932yic.fsf@delenn.ganneff.de> <[🔎] 20170807185241.qqamsdbf5pyb3pch@bongo.bofh.it> <[🔎] 0dni8fh2k7j5v8@mids.svenhartge.de> <[🔎] 20170811112052.a4vkn3skwcoif5p7@bongo.bofh.it> <[🔎] 20170811125256.tmi265wt424hb6te@bongo.bofh.it>

Marco d'Itri <md@Linux.IT> writes:

> But as it has been noted there is more than HTTP, so totally removing
> support for 1.0/1.1 may still not be appropriate.

Adding a data point here, my employer (Dropbox) is reasonably aggressive
about SSL configuration, but based on the usage we see, we've not yet been
comfortable with dropping TLS 1.0 and 1.1.  Maybe we will be by the end of
the buster release cycle, but that isn't entirely clear to me.  Google,
Amazon, Microsoft, and the EFF all also still support TLS 1.0/1.1 on their
primary web sites, for whatever that's worth.

A good external validation for when industry best practice is willing to
drop TLS 1.0/1.1 support is when Qualys SSL Labs
(https://www.ssllabs.com/ssltest/) starts lowering the grade below A+ for
sites that have TLS 1.0/1.1 enabled.  They still haven't been willing to
take that step, and I think they're a reasonable lagging indicator for
current accepted best SSL practice.

That doesn't mean we can't make it very easy to disable TLS 1.0/1.1 or
encourage people to do that when possible, of course.  It would be great
for us to try to lead the way and push things forward a bit.  But I think
we're still going to have to make it very easy to enable TLS 1.0/1.1 for a
lot of people and applications for a bit longer.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Tollef Fog Heen <tfheen@err.no>

References:
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Joerg Jaspert <joerg@debian.org>
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: md@Linux.IT (Marco d'Itri)
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Sven Hartge <sven@svenhartge.de>
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: md@Linux.IT (Marco d'Itri)
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Bug#871812: ITP: gajim-rostertweaks -- allows user to tweak Gajim roster window appearance
Next by Date: Re: Detached upstream signature and git packaging
Previous by thread: Re: OpenSSL disables TLS 1.0 and 1.1
Next by thread: Re: OpenSSL disables TLS 1.0 and 1.1
Index(es):
- Date
- Thread