From owner-freebsd-security@FreeBSD.ORG Fri May 15 08:08:00 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1E23763 for ; Fri, 15 May 2015 08:08:00 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1AB05171B for ; Fri, 15 May 2015 08:07:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t4F87swm007162; Fri, 15 May 2015 18:07:55 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 15 May 2015 18:07:54 +1000 (EST) From: Ian Smith To: Adam Major cc: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <5554C025.9090903@ivpro.net> Message-ID: <20150515173820.M69409@sola.nimnet.asn.au> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <5554C025.9090903@ivpro.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 08:08:00 -0000 On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote: > Hello > > >> But I don't think disable TLS 1.0 is ok. > >> > > > > TLS 1.0 is dead and is even now banned in new installations according to > > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > > by *any* HTTPS site now. > > Maybe is dead but is used in many old browser / software still used. > > In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016. > (new installations "in theory" should not be built on TLS 1.0). > > So we have 1 year and FreeBSD forum is not e-commerce site ;) People seem determined to make sure freebsd forums are one of the first sites to ban TLS 1.0, as some sort of best-practice example. I admit my knowledge of TLS issues is scant. I'd like to know whether allowing TLS 1.0 - with fallback from later levels denied, as it already is - endangers the server, or only the client? If there's a clearly stated and immediate danger to the forum server, I can accept that, but I'd have thought https://www and svnweb would be more at such peril? Will there be any notice before they're denied TLS 1.0 access also? If it's just for making the sort of point that Mark is advocating, to force people to join this 'rolling automatic update' model so beloved of Microsoft and their captive hardware vendors, then I think doing that, without any sort of prior notice, is rather less than I've come to expect from the FreeBSD project over 17 years. But I'm a grandpa too; guess I have old-fashioned expectations :) cheers, Ian