On Thu, 14 May 2015 17:32:53 +0200, Adam Major wrote:
> Hello
>
> >> But I don't think disable TLS 1.0 is ok.
> >>
> >
> > TLS 1.0 is dead and is even now banned in new installations according
to
> > the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be
supported
> > by *any* HTTPS site now.
>
> Maybe is dead but is used in many old browser / software still used.
>
> In PCI DSS 3.1 merchants must remove SSL and TLS 1.0 to 30 June 2016.
> (new installations "in theory" should not be built on TLS 1.0).
>
> So we have 1 year and FreeBSD forum is not e-commerce site ;)
People seem determined to make sure freebsd forums are one of the first
sites to ban TLS 1.0, as some sort of best-practice example.
I admit my knowledge of TLS issues is scant. I'd like to know whether
allowing TLS 1.0 - with fallback from later levels denied, as it already
is - endangers the server, or only the client? If there's a clearly
stated and immediate danger to the forum server, I can accept that, but
I'd have thought https://www and svnweb would be more at such peril?
Will there be any notice before they're denied TLS 1.0 access also?
If it's just for making the sort of point that Mark is advocating, to
force people to join this 'rolling automatic update' model so beloved of
Microsoft and their captive hardware vendors, then I think doing that,
without any sort of prior notice, is rather less than I've come to
expect from the FreeBSD project over 17 years.
But I'm a grandpa too; guess I have old-fashioned expectations :)
cheers, Ian