From owner-freebsd-security@FreeBSD.ORG  Thu May 14 11:31:51 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 91DEFC64
 for <freebsd-security@freebsd.org>; Thu, 14 May 2015 11:31:51 +0000 (UTC)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1F845171B
 for <freebsd-security@freebsd.org>; Thu, 14 May 2015 11:31:50 +0000 (UTC)
X-SubmittedBy: id 100000045929 subject
 /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202
 auth type TLS.MFF
Received: from [172.20.1.29] (fw.ax.cz [77.240.102.126]) (authenticated)
 by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t4EBVfvD001629
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK)
 for <freebsd-security@freebsd.org>; Thu, 14 May 2015 13:31:47 +0200 (CEST)
 (envelope-from dan@obluda.cz)
Message-ID: <5554879D.7060601@obluda.cz>
Date: Thu, 14 May 2015 13:31:41 +0200
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (Windows NT 5.1;
 rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
MIME-Version: 1.0
To: Liste FreeBSD-security <freebsd-security@freebsd.org>
Subject: Re: Forums.FreeBSD.org - SSL Issue?
References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com>
 <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com>
 <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net>
 <20150514193706.V69409@sola.nimnet.asn.au>
 <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net>
In-Reply-To: <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 11:31:51 -0000

Patrick Proniewski wrote:
>> "Data Transfer Interrupted
>> The connection to forums.freebsd.org has terminated unexpectedly. Some 
>> data may have been transferred."
> 
> looks like your browser/OS does not support TLS 1.2.

I'm confused by FreeBSD policy, a lot.

Base OpenSSL in still supported releases is too old version and doesn't
support TLS 1.2 as well.

Either TLS 1.0 is so insecure and should not be used, or is secure
enough for FreeBSD.

In the first case the base OpenSSL should be updated to something more
recent (so dangerous TLS 1.0 only should be considered security issue).

In the second case I see no reason to disable TLS 1.0 on
https://forums.freebsd.org - regardless the Qualsys rating.

I don't care which solution will be selected.

Just my $0.02

Dan