Date: Fri, 15 May 2015 18:07:54 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Adam Major <adi@ivpro.net> Cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <20150515173820.M69409@sola.nimnet.asn.au> In-Reply-To: <5554C025.9090903@ivpro.net> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > Hello > > >> But I don't think disable TLS 1.0 is ok. > >> > > > > TLS 1.0 is dead and is even now banned in new installations according to > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > by *any* HTTPS site now. > > Maybe is dead but is used in many old browser / software still used. > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > (new installations "in theory" should not be built on TLS 1.0). > > So we have 1 year and FreeBSD forum is not e-commerce site ;) People seem determined to make sure freebsd forums are one of the first sites to ban TLS 1.0, as some sort of best-practice example. I admit my knowledge of TLS issues is scant. I'd like to know whether allowing TLS 1.0 - with fallback from later levels denied, as it already is - endangers the server, or only the client? If there's a clearly stated and immediate danger to the forum server, I can accept that, but I'd have thought https://www and svnweb would be more at such peril? Will there be any notice before they're denied TLS 1.0 access also? If it's just for making the sort of point that Mark is advocating, to force people to join this 'rolling automatic update' model so beloved of Microsoft and their captive hardware vendors, then I think doing that, without any sort of prior notice, is rather less than I've come to expect from the FreeBSD project over 17 years. But I'm a grandpa too; guess I have old-fashioned expectations :) cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150515173820.M69409>