Skribent: ael Dato: Til: dng Emne: Re: [DNG] openssl/libssl1 in Debian has disabled TLS 1.0 & 1.1
On Wed, Aug 16, 2017 at 01:27:33PM +0200, Alessandro Selli wrote: > On Wed, 16 Aug 2017 at 13:24:36 +0200
> Alessandro Selli <alessandroselli@???> wrote:
>
> > On Wed, 16 Aug 2017 at 11:56:46 +0100
> > ael <adrian.lawrence@???> wrote:
> >
> > [...]
> >
> > > Devuan needs to avoid importing this problem.
> >
> > It also needs to avoid been labelled as an unsafe distro, one of the few¹
> > to still support unsecure protocols. After all, TLS v. 2.0 is from 1995,
> > quite a long time ago.
>
> Sorry, that's SSL v 2. TLS v. 1.2 is dated 2008. Not very long tome ago.
> I'd favour disabling it by default, only to be enabled if esplicitly
> configured to do so.
I am happy with that. Just as long as one can enable it when
*necessary*.
What is unacceptable is for Devuan to take away the freedom to read
email or prevent communication with devices which cannot be updated.
It may be that the Debian maintainer will see sense, and correct the
mistake, but if not Devuan will need to provide a modified (perhaps
I mean an unmodified) package. Unfortunately that involves extra
work, although I think it is only a minor change. I haven't checked, but
if by an chance upstream provides their own dpkg, that would be the
obvious option.