On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote:> > > On Thu, May 14, 2015, at 05:19, Adam Major wrote: >> Hello >> >> I checked now by sslLabs.com: >> https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org >> >> and score is A+ >> >> But I don't think disable TLS 1.0 is ok. >> > > TLS 1.0 is dead and is even now banned in new installations according to > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > by *any* HTTPS site now.Here, here! We ONLY have 1.0 enabled until the hardware vendor can upgrade their software. I'm looking to celebrate the day when we have 1.1 and 1.2 enabled. -- ------- inum: 883510009027723 sip: jungleboogie at sip2sip.info xmpp: jungle-boogie at jit.si
On 14 mai 2015, at 16:13, jungle Boogie wrote:> On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote: >> >> TLS 1.0 is dead and is even now banned in new installations according to >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported >> by *any* HTTPS site now. > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > upgrade their software. I'm looking to celebrate the day when we have > 1.1 and 1.2 enabled.That's always the problem with guys like you and me who live in the real world. We can't cope with "what should be dead and no longer used". Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade because it's used with hardware/software you can't get rid of. At work we are in the ridiculous state where we have to package old browser + old Java into VMware ThinApp "bubbles" to access production tools. Removing TSL 1.0 is not a good move. It's possible to provide SSL with TLS 1.2, having protection against protocol downgrade, and still provide TLS 1.1 and 1.0 for older browsers. patpro