oss-sec mailing list archives

Re: feedback requested regarding deprecation of TLS 1.0/1.1


From: Clemens Lang <cllang () redhat com>
Date: Thu, 8 Aug 2024 12:46:34 +0200

Hi,

On 7. Aug 2024, at 19:48, Solar Designer <solar () openwall com> wrote:

1. Hosting a public server that's meant to be usable by the widest
audience possible, including from both up-to-date and older systems.
For example, a website should display in latest web browsers, but
command-line downloads from the same server should also work from old
systems (e.g., running LTS distros).

Speaking of LTS distros: RHEL 6.10 supports TLS 1.2.
At what point is a distro not LTS, but a museum piece which we can ignore?
What currently supported LTS distro does not support TLS 1.2?


2. Scanning or crawling a wide variety of systems, e.g. by a search
engine indexer, an asset enumeration tool, a security scanner, or during
a pentest.

What good is a search engine index of a webpage no modern browser will connect to?

The other use cases sound like they’d be done with special tooling anyway, in which case that can continue to ship an 
older version of OpenSSL for this purpose.


-- 
Clemens Lang
RHEL Crypto Team
Red Hat


Current thread: