Re: OpenSSL disables TLS 1.0 and 1.1

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL disables TLS 1.0 and 1.1
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 20 Aug 2017 20:30:43 +0200
Message-id: <[🔎] 20170820183043.igmukujv6aodvdl7@roeckx.be>
In-reply-to: <[🔎] 20170807183552.m6ufe3dl5ywztusd@roeckx.be>
References: <20170807014238.mf64rdvgpdkpaiwa@roeckx.be> <[🔎] 8737932yic.fsf@delenn.ganneff.de> <[🔎] 20170807183552.m6ufe3dl5ywztusd@roeckx.be>

On Mon, Aug 07, 2017 at 08:35:52PM +0200, Kurt Roeckx wrote:
> On Mon, Aug 07, 2017 at 05:22:51PM +0200, Joerg Jaspert wrote:
> > I wonder if there is a middle way that ensures that all new stuff does
> > go TLS1.2 (or later, whenever), but does allow older stuff still to
> > work. Which isnt the case if they are just disabled.
> 
> I could change the default settings to set the minimum supported
> version as TLS 1.2. That is, act like
> SSL_CTX_set_min_proto_version() was called with TLS1_2_VERSION.
> That would allow applications to override this this by calling
> SSL_CTX_set_min_proto_version(). But then those are new
> functions in 1.1.0 and they probably aren't supported by many
> applications.

I have a patch for that at:
https://github.com/openssl/openssl/pull/4128

I might upload this soon. The intention is still to ship Buster
with TLS 1.0 and 1.1 completly disabled.


Kurt

Reply to:

Follow-Ups:
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Michael Meskes <meskes@debian.org>

References:
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Joerg Jaspert <joerg@debian.org>
- Re: OpenSSL disables TLS 1.0 and 1.1
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: New archive key for wheezy generated
Next by Date: Re: openssl/libssl1 in Debian now blocks offlineimap?
Previous by thread: Re: OpenSSL disables TLS 1.0 and 1.1
Next by thread: Re: OpenSSL disables TLS 1.0 and 1.1
Index(es):
- Date
- Thread