Re: Re: TLSv1.2 needed in Debian 6 LTS

To: Jan Ingvoldstad <jan-debian-lts@oyet.no>
Cc: debian-lts@lists.debian.org
Subject: Re: Re: TLSv1.2 needed in Debian 6 LTS
From: Isidor Zeuner <debian@quidecco.de>
Date: Tue, 3 Feb 2015 21:58:37 +0100 (CET)
Message-id: <[🔎] 20150203205837.2492EE2D759@quidecco.de>
In-reply-to: <[🔎] 54CFA1E8.5050408@oyet.no>
References: <[🔎] 54CFA1E8.5050408@oyet.no> <[🔎] 54CF8F99.1040706@disch-services.de>

Hi there,

comments in-line:

Den 02.02.15 15.54, skrev Disch Services GmbH:
> Dear List,
Hi there!

Please note that what I write are my impressions and opinions, and not
any official statement regarding what LTS can or should support. I'm not
in a position to make such statements, either.


Me neither, but since this is a community effort and also a testbed
for evaluating how future Debian LTS policies can work, I think we are
all doing well if we share our opinions on what could be feasible
approaches for supporting user requirements.

[...]

> Regarding to the (legal) requirements of the BayLDA (See 2.) mail
> servers must support STARTTLS and PFS (Perfect Forward Secrecy) and
> the Heartbleed bug must be fixed. (See 3.)
>
> Combining these we find, that Debian 6 LTS could not be used in 2015
> any more, because in OpenSSL (which is used as a stardard library for
> encryption in most applications) TLSv1.2 (rsp. TLSv1.1 with some
> restrictions) is missing and in GnuTLS PFS is missing.
For your purposes, I'd say your analysis is correct: Debian Squeeze
should not be used, except with a backported OpenSSL 1.x.


Generally, I think that third-party package sources containing
backports would be the way to go for such requirements stated by local
authorities. Otherwise, it would be hard to maintain a central
Debian-LTS package repository which is applicable globally. For
example, Germany also came up with "De-Mail" for securing electronic
communication, but no one would expect that Debian replaces GnuPG by a
De-Mail client because of this.

Adding new features into a feature-frozen distribution seems like a
pretty severe step, and in my opinion, there would have to be a pretty
global consensus about this being necessary, if it should be done.

If there are enough organizations which are subject to the stated
requirements about TLS 1.2, it should be realistic to create a joint
effort for a third-party package source which can be used with
Debian-LTS.

The problem with that is that to backport OpenSSL 1.x means also
backporting newer versions of packages (I don't recall which or how
many, sorry) that have been programmed with OpenSSL 0.9.x in mind.


Either this, or it may be possible to port the Debian-LTS package
versions to OpenSSL 1.x, keeping other interfaces more stable.

The existing package dependency information should be helpful for
either of the approaches.

Establishing exactly which packages these are, and to which extent they
merely need to be recompiled or also need to be backported, is a pretty
big task, and I suspect it's way out of scope for the LTS project.


I agree. Facilitating efforts like this should be a concern of all
Debian packaging efforts, independently of being related to
Debian-LTS, or newer releases.

Best regards,

Isidor

Reply to:

References:
- Re: TLSv1.2 needed in Debian 6 LTS
  - From: Jan Ingvoldstad <jan-debian-lts@oyet.no>
- TLSv1.2 needed in Debian 6 LTS
  - From: Disch Services GmbH <info@disch-services.de>

Prev by Date: Re: Re: restarting services
Next by Date: testing krb5 for Squeeze LTS
Previous by thread: Re: TLSv1.2 needed in Debian 6 LTS
Next by thread: Re: TLSv1.2 needed in Debian 6 LTS
Index(es):
- Date
- Thread