[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

TLSv1.2 needed in Debian 6 LTS

Dear List,

right now I struggle with some issues about supported encryption protocols in Debian 6 LTS.

The technical recommendation of BSI (See 1.) for TLS is stating, that TLSv1.0 isn't recommended any more starting in 2015.  The same document says, that TLSv1.1 may be used in 2015 rsp. 2017+ with some restrictions.

Now, Debain 6 LTS has OpenSSL that only supports TLSv1.0 and has GnuTLS that supports TLSv1.1, but without PFS.

Regarding to the (legal) requirements of the BayLDA (See 2.) mail servers must support STARTTLS and PFS (Perfect Forward Secrecy) and the Heartbleed bug must be fixed. (See 3.)

Combining these we find, that Debian 6 LTS could not be used in 2015 any more, because in OpenSSL (which is used as a stardard library for encryption in most applications) TLSv1.2 (rsp. TLSv1.1 with some restrictions) is missing and in GnuTLS PFS is missing.

But Ubuntu 12 LTS has OpenSSL which supports TLSv1.2 and PFS.

Furthermore I discovered mail services of my clients that only support TLSv1.2 - and because of this, encrypted e-mail communication fails. And, from IT security point of view, I can only recommend a service or a software to my clients that obeys the protective legal requirements. Additionally I think that the supported encryption protocol is a security issue!

To sum this up: we need Debian 6 LTS with TLSv1.2 (i.e. with a recent OpenSSL implemenation).


With best regards

   Uwe Disch
   Geschäftsführer
   Disch Services GmbH
   E-Mail: mailto:info@disch-services.de
   Fon: 09123. 966 25 12
   Internet: http://disch-services.de
   Impressum: http://disch-services.de

   Pflichtangaben gemäß §35a Abs. 1 S. 1 GmbHG u.a.:
   Vertretungsberechtigter Geschäftsführer:
   Dipl.-Ing. (FH) Uwe Disch
   Firma der Gesellschaft: Disch Services GmbH
   Rechtsform der Gesellschaft: GmbH
   Sitz der Gesellschaft: Lauf
   Registergericht: Amtsgericht Nürnberg HRB 18 503
   USt.-IdNr.: DE 217 813 642

   Ingenieurbüro Disch: lösungsorientiert, technologisch, innovativ.
   http://disch-online.de

   Teilnehmer an der Allianz für Cyber-Sicherheit.

   Hiermit widerspreche ich jeglicher Nutzung oder Übermittlung meiner
   Daten, die über diesen Kontakt hinausgeht, gleichgültig zu welchen
   Zwecken sie erfolgt. Insbesondere widerspreche ich der Nutzung oder
   Übermittlung meiner Daten für Werbezwecke oder für die Markt- oder
   Meinungsforschung.

References:
1. Bundesamt für Sicherheit in der Informationstechnik:
    https://www.bsi.bund.de/DE/Publikationen/Mindeststandards/SSL-TLS-Protokoll/SSL-TLS-Protokoll_node.html
2. Bayerisches Landesamt für Datenschutzaufsicht: http://www.lda.bayern.de
3. http://www.lda.bayern.de/onlinepruefung/emailserver.html

Am 07.10.2014 um 15:10 schrieb Raphael Hertzog:
Hello Uwe,

you probably know the Debian LTS project[1] which aims to provide
5 years of security updates to all Debian releases. As part of this
project, we did setup an offer so that companies benefiting from this
extended support can contribute with financial support. By pooling
resources of multiple companies, we hope to be able to sustain this nice
project.

At this time, the project is well underway but we do not have yet
achieved our goal of funding the equivalent of a full-time position:

http://www.freexian.com/services/debian-lts.html

Thanks to the support of fifteen companies, we have 42 hours sponsored
each month. This is not enough yet, we want at least to double this
amount, and ideally quadruple it.

As (a) Debian consultant(s) listed on https://www.debian.org/consultants/,
you are in touch with companies (and other organizations) using Debian
(be it customers, partners, or yourself), and you could effectively
relay our message.

If — like us — you believe that the long term support of Debian is
important for its credibility and its future, I invite you to identify
the Debian-using companies/organizations that you know and that might
contribute to the long term support of Debian. From there on,
you can either contact those entities yourself (you can put
deblts@freexian.com in copy of your emails to keep us informed),
or you can give us the details of the company and of a possible
contact so that we can offer them to participate to the Debian
LTS project.

You will find below[2] an email template that you can reuse to
introduce the Debian LTS project and convince companies to participate.

Thank you in advance for your help! If each Debian consultant convinces
a company to join the project, we will quickly exceed our goals.

Regards,
  Raphaël Hertzog <hertzog@debian.org>

[1] http://wiki.debian.org/LTS
[2] Email template:
----
Hello,

Debian GNU/Linux is an important piece of your IT infrastructure that you
get for free. Debian would probably be even more valuable to you if
it benefited from 5 years of support: no need to upgrade every 2 years,
you can migrate to newer version when you upgrade the hardware, etc.

This is exactly what the Debian project is currently trying to do
but they are short on volunteers to achieve this. To remedy this,
a few Debian developers have setup an offer so that all companies can
easily contribute to this project:
http://www.freexian.com/services/debian-lts.html

This initiative has the support of the Debian project:
https://www.debian.org/News/2014/20140616

If you ever wondered how you could give something back to the Debian project,
this is the perfect opportunity. In a single operation, you support
the work of some Debian contributors and you help them deliver more value to
you with proper Long Term Support of all Debian releases.

Are you interested to contribute to this project?

If yes, please fill in the form at
http://www.freexian.com/services/debian-lts-subscription-form.pdf and send
it back to deblts@freexian.com.

If you have any questions about this offer, please ask them to Raphaël Hertzog
<deblts@freexian.com> who is coordination this operation.

Thank you very much for your support!
----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: