On Mon, 2015-02-02 at 18:23 +0100, Disch Services GmbH wrote: > > Am 02.02.2015 um 17:12 schrieb Jan Ingvoldstad: > > > But Ubuntu 12 LTS has OpenSSL which supports TLSv1.2 and PFS. > > > > > Debian Squeeze was feature-frozen in August 2010, one and a half > > year before Ubuntu 12.04 LTS. That is, it was feature-frozen while > > Ubuntu 10.04 was the current Ubuntu version. > > > > If you want to compare Ubuntu 12 LTS with a Debian release, the > > closest we've got is Wheezy. > > > > > Furthermore I discovered mail services of my clients that only > > > support TLSv1.2 - and because of this, encrypted e-mail > > > communication fails. And, from IT security point of view, I can > > > only recommend a service or a software to my clients that obeys > > > the protective legal requirements. Additionally I think that the > > > supported encryption protocol is a security issue! > > > > > > To sum this up: we need Debian 6 LTS with TLSv1.2 (i.e. with a > > > recent OpenSSL implemenation). > > > > > I agree that it would be nice, but the writing has been on the wall > > regarding which Debian release you should look to for TLS and PFS > > support since Wheezy was frozen in 2012. > > > No, the point is the claim that Debain 6 LTS has 5 year support until > mid. 2016. With a limited subset of package and architectures, and subject to developers being available to do this. > And as a user I expect Debian 6 LTS is up-to-date (from security point > of view) until mid. 2016. But with missing TLSv1.2 it is NOT. > Nevertheless when the code freeze was. Please adjust your expectations accordingly. > > I think you'd be better served by migrating to Wheezy or Jessie. > Really? With the customer projects there is no budget for migration > to a new release. Is there budget for paying for LTS? Or for paying fines for non- compliance with new security requirements? I think they're going to have to pay for one of these three things, and you should make sure they understand that. > The migration is planned in early summer 2016. And the migration > would not be straight-forward, because Linux Virtual Server support > was dropped with Debian 7 and some important concepts have changed in > Linux Containers. What makes you think Linux Virtual Server is supported in squeeze LTS? We haven't updated the vserver patch for over 3 years. Some developers are rebasing their patch against 2.6.32.y, but I reported a regression in 2012 <http://article.gmane.org/gmane.linux.vserver/19267> and never heard any response and this has not been fixed upstream. Ben. -- Ben Hutchings Never attribute to conspiracy what can adequately be explained by stupidity.
Attachment:
signature.asc
Description: This is a digitally signed message part