From owner-freebsd-security@FreeBSD.ORG Thu May 14 15:20:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1B16E8A for ; Thu, 14 May 2015 15:20:54 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "patpro.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5CEF7183E for ; Thu, 14 May 2015 15:20:53 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id F08CDF5C; Thu, 14 May 2015 17:20:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201504-3edeac90; t=1431616845; bh=LGH7jMTH8VRfDBnZfAGCwymMsLiJC5xJEYF14cAIBFo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Sy0WbUggHZ45RRtgc2YH+Z8P3uh/ECGpi6p4i215lSJY+L2eTLZtUg0ZascO9h/zC AUgC9EFsZrHosL/mBHzoCmhpDBm1asKrHVxAVIDIxiwmTx5iyK4tGIUDB/IxCJvK/j gnlu0WWEzSPeQnsyZJpI6Hi9wnX0agJMQ/5fopiF+cKE09XCLlE8sDTSj+6Lfg92MB 09PFzn4n7hNJDBXr9dhU71hJEe4h1nQmPGISC69vN2Wz5Ypu1ycFlEQ9pv0ZjauZRu 9jX3doG9lMp7b5rWYWzGd9kiO+fl8+b4arh4RiBrZ1O0a0vH3DO5Q7l8mLuKF948uR 38RUZ2+0uyNB+x2xrLubEZeozz7BdmiVwEnIk2/4lv/zU1SvUna2HUn1oTYYzEzoin HPn0KB54m4Ck97ybQCdAlbObsIO6FkYqNUAndOAa8w8eBQCzHyJfKDLe/gwGrYUDXT WTkt7f7ar4+3Hk0oPH8ZeIeymgJCFNtgK0dvY3pVmpjBTKP3sypv1DPU8bRAZ+957D EQ6185V77K5pOnI5aw0kOqVSzK0a4BdY1z/Ti/h3RNzcxSqep1VKOoGRp6QyOAmPZh rsYSQdDnrpAuvSyUEWPd7eCiPAni0zdpDcZWC92sO4++iVrwSEAi4BJHu2MILW1WYM VNDaI0elTMU9NT77wV1EyOPY= Subject: Re: Forums.FreeBSD.org - SSL Issue? Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Patrick Proniewski In-Reply-To: Date: Thu, 14 May 2015 17:20:44 +0200 Cc: jungle Boogie Content-Transfer-Encoding: quoted-printable Message-Id: References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> To: Liste FreeBSD-security X-Mailer: Apple Mail (2.1085) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 15:20:54 -0000 On 14 mai 2015, at 16:13, jungle Boogie wrote: > On 14 May 2015 at 06:08, Mark Felder wrote: >>=20 >> TLS 1.0 is dead and is even now banned in new installations according = to >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be = supported >> by *any* HTTPS site now. >=20 >=20 > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > upgrade their software. I'm looking to celebrate the day when we have > 1.1 and 1.2 enabled. That's always the problem with guys like you and me who live in the real = world. We can't cope with "what should be dead and no longer used". = Deprecated tomcat/Java/SSL/You-name-it software that you can't just = upgrade because it's used with hardware/software you can't get rid of. At work we are in the ridiculous state where we have to package old = browser + old Java into VMware ThinApp "bubbles" to access production = tools. Removing TSL 1.0 is not a good move. It's possible to provide SSL with = TLS 1.2, having protection against protocol downgrade, and still provide = TLS 1.1 and 1.0 for older browsers. patpro=