Re: feedback requested regarding deprecation of TLS 1.0/1.1

[Duncan Grisby <duncan () grisby org>]

On Tue, 2024-08-06 at 05:02 -0400, Neil Horman wrote:


> The current proposal under consideration is to explicitly disable TLS
> 1.0/1.1 at build time, in our 4.0 release (tentatively scheduled to
> release in the next 12-18 months), with an eye to completely remove
> the impacted code in a future major release.  The default
> configuration could be overridden to re-enable TLS 1.0/1.1 at build
> time.
>
> Questions to the community are:
>
> 1) Are distributions/users comfortable with this approach in the time
> frame proposed?

I lead a quite unusual application (BMC Discovery), which is an IT
discovery tool. Its purpose is to connect to everything it can in an IT
environment and interrogate it, to find out what it is, and what it is
doing.

We would all agree that everything ought to be using modern TLS
versions and encryption algorithms, but the reality is that we
encounter many ancient systems that are using old protocols. It is
important to us that we can connect to things even if they are now
considered insecure, not least because that way we can report that they
_are_ old and insecure.

Obviously this is quite an unusual use of OpenSSL, but I think it is a
good use case for retaining these old algorithms for as long as
possible, even if they are disabled by default. If new OpenSSL versions
drop support for older protocols, we will have to start using multiple
versions, so we can use old OpenSSL versions for old discovery targets.

Regards,

Duncan Grisby.

-- 
Duncan Grisby <duncan () grisby org>