Den 02.02.15 15.54, skrev Disch
Services GmbH:
Dear List,
Hi there!
Please note that what I write are my impressions and opinions, and
not any official statement regarding what LTS can or should support.
I'm not in a position to make such statements, either.
right now I struggle with some issues about supported encryption
protocols in Debian 6 LTS.
The technical recommendation of BSI (See 1.) for TLS is stating,
that TLSv1.0 isn't recommended any more starting in 2015. The
same document says, that TLSv1.1 may be used in 2015 rsp. 2017+
with some restrictions.
Now, Debain 6 LTS has OpenSSL that only supports TLSv1.0 and has
GnuTLS that supports TLSv1.1, but without PFS.
Yep, this is a problem.
Regarding to the (legal)
requirements of the BayLDA (See 2.) mail servers must support
STARTTLS and PFS (Perfect Forward Secrecy) and the Heartbleed
bug must be fixed. (See 3.)
Combining these we find, that Debian 6 LTS could not be used in
2015 any more, because in OpenSSL (which is used as a stardard
library for encryption in most applications) TLSv1.2 (rsp.
TLSv1.1 with some restrictions) is missing and in GnuTLS PFS is
missing.
For your purposes, I'd say your analysis is correct: Debian Squeeze
should not be used, except with a backported OpenSSL 1.x.
The problem with that is that to backport OpenSSL 1.x means also
backporting newer versions of packages (I don't recall which or how
many, sorry) that have been programmed with OpenSSL 0.9.x in mind.
Establishing exactly which packages these are, and to which extent
they merely need to be recompiled or also need to be backported, is
a pretty big task, and I suspect it's way out of scope for the LTS
project.
But Ubuntu 12 LTS has OpenSSL which
supports TLSv1.2 and PFS.
Debian Squeeze was feature-frozen in August 2010, one and a half
year before Ubuntu 12.04 LTS. That is, it was feature-frozen while
Ubuntu 10.04 was the current Ubuntu version.
If you want to compare Ubuntu 12 LTS with a Debian release, the
closest we've got is Wheezy.
Furthermore I discovered mail
services of my clients that only support TLSv1.2 - and because
of this, encrypted e-mail communication fails. And, from IT
security point of view, I can only recommend a service or a
software to my clients that obeys the protective legal
requirements. Additionally I think that the supported encryption
protocol is a security issue!
To sum this up: we need Debian 6 LTS with TLSv1.2 (i.e. with a
recent OpenSSL implemenation).
I agree that it would be nice, but the writing has been on the wall
regarding which Debian release you should look to for TLS and PFS
support since Wheezy was frozen in 2012.
I think you'd be better served by migrating to Wheezy or Jessie.
--
Cheers,
Jan
|