oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: feedback requested regarding deprecation of TLS 1.0/1.1

From: Jens Timmerman <jens () caret be>
Date: Fri, 9 Aug 2024 12:08:07 +0200

On 8/8/24 12:46 PM, Clemens Lang wrote:

Hi,


Speaking of LTS distros: RHEL 6.10 supports TLS 1.2.
RHEL 6.10 is not a supported distro, it's Extended Life Cycle ended 1 month and one week ago (30 Jun 2024) 

https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates


At what point is a distro not LTS, but a museum piece which we can ignore?
I believe, after it is no longer supported. I also believe the LTS means that the vendor/creator of the distro will provide the support, and will make security patches and possibly back-port features if requested. This is nothing the community should do for them. (I can claim to support a 20 year old version of OpenSSL if I wanted to, but I would not expect/request the OpenSSL maintainers to fix my issues for me) 
What currently supported LTS distro does not support TLS 1.2?



2. Scanning or crawling a wide variety of systems, e.g. by a search
engine indexer, an asset enumeration tool, a security scanner, or during
a pentest.

What good is a search engine index of a webpage no modern browser will connect to?
It is good for penetration testers, if no normal expected users need to connect to the service, and only malicious users are expected to connect to it, it might be beneficial for the security posture to bring it offline/put it behind a proxy. 


The other use cases sound like they’d be done with special tooling anyway, in which case that can continue to ship an 
older version of OpenSSL for this purpose.
Agreed, if an older version of OpenSSL is needed for specific testing purposes, I can boot up an old live cd in a vm, or download old source releases and build OpenSSL from source myself. 

Regards,

Jens Timmerman
Previous By Date Next
Previous By Thread Next

Current thread: