Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 May 2015 17:20:44 +0200
From:      Patrick Proniewski <patpro@patpro.net>
To:        Liste FreeBSD-security <freebsd-security@freebsd.org>
Cc:        jungle Boogie <jungleboogie0@gmail.com>
Subject:   Re: Forums.FreeBSD.org - SSL Issue?
Message-ID:  <C6A26209-6DB6-4842-9810-B670E3461AAE@patpro.net>
In-Reply-To: <CAKE2PDtM6q14q2BdmB5PNht=Q3Q0VQRh64nh1Lfd9Y9uCryibw@mail.gmail.com>
References:  <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <CAKE2PDtM6q14q2BdmB5PNht=Q3Q0VQRh64nh1Lfd9Y9uCryibw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 14 mai 2015, at 16:13, jungle Boogie wrote:

> On 14 May 2015 at 06:08, Mark Felder <feld@freebsd.org> wrote:
>>=20
>> TLS 1.0 is dead and is even now banned in new installations according =
to
>> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be =
supported
>> by *any* HTTPS site now.
>=20
>=20
> Here, here! We ONLY have 1.0 enabled until the hardware vendor can
> upgrade their software. I'm looking to celebrate the day when we have
> 1.1 and 1.2 enabled.


That's always the problem with guys like you and me who live in the real =
world. We can't cope with "what should be dead and no longer used". =
Deprecated tomcat/Java/SSL/You-name-it software that you can't just =
upgrade because it's used with hardware/software you can't get rid of.
At work we are in the ridiculous state where we have to package old =
browser + old Java into VMware ThinApp "bubbles" to access production =
tools.

Removing TSL 1.0 is not a good move. It's possible to provide SSL with =
TLS 1.2, having protection against protocol downgrade, and still provide =
TLS 1.1 and 1.0 for older browsers.

patpro=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C6A26209-6DB6-4842-9810-B670E3461AAE>