oss-sec mailing list archives
Re: feedback requested regarding deprecation of TLS 1.0/1.1
From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Thu, 08 Aug 2024 20:50:19 -0500
Clemens Lang wrote:
On 7. Aug 2024, at 19:48, Solar Designer <solar () openwall com> wrote: 1. Hosting a public server that's meant to be usable by the widest audience possible, including from both up-to-date and older systems. For example, a website should display in latest web browsers, but command-line downloads from the same server should also work from old systems (e.g., running LTS distros).Speaking of LTS distros: RHEL 6.10 supports TLS 1.2. At what point is a distro not LTS, but a museum piece which we can ignore? What currently supported LTS distro does not support TLS 1.2?
Legacy is a long tail and there is a big difference between communications on the open Internet and support for archaic protocol versions to talk to older devices on a LAN. Disabling support by default is one thing; removing it entirely is another and much more serious.
2. Scanning or crawling a wide variety of systems, e.g. by a search engine indexer, an asset enumeration tool, a security scanner, or during a pentest.What good is a search engine index of a webpage no modern browser will connect to?
A user may have an older browser around, the page may also be available via plain HTTP (very likely if the server is that old), or the search engine might offer a cached copy. For a specific crawler that could have use for this scenario, consider the Internet Archive Wayback Machine.
The other use cases sound like they’d be done with special tooling anyway, in which case that can continue to ship an older version of OpenSSL for this purpose.
Presumably that "older version of OpenSSL" would be unmaintained, which means that it is likely to accumulate known exploits over time. This could be *very* bad for an asset enumeration tool or security scanner that could encounter a malicious server that insists on an old protocol version in order to exploit that older library and crack the scanner host!
-- Jacob
Current thread:
- Re: feedback requested regarding deprecation of TLS 1.0/1.1, (continued)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Solar Designer (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 steffen (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 09)
- Re: collision confounders (was: feedback requested regarding deprecation of TLS 1.0/1.1) Jacob Bachmeyer (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 09)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jens Timmerman (Aug 09)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 14)