CentOS - Oct 2019 - easy way to stop old ssl's

> Yes, breaking changes.  Doing this *will* cut off support for older
browsers.  On purpose.
Old browsers aren't really the problem. Even ff 45 (?) from CentOS5 will
happily access a TLSv1.2-only server. The problem is user that have old versions
of software installed with no TLSv1.2 support. SVN, python 2.7 scripts, etc.

On Oct 11, 2019, at 2:52 PM, isdtor <isdtor at gmail.com>
wrote:
> 
>> Yes, breaking changes.  Doing this *will* cut off support for older
browsers.  On purpose.
> 
> Old browsers aren't really the problem. Even ff 45 (?) from CentOS5
will happily access a TLSv1.2-only server.
IE 10 and older won?t, though: https://caniuse.com/#feat=tls1-2
> The problem is user that have old versions of software installed with no
TLSv1.2 support. SVN, python 2.7 scripts, etc.
Also true.  There?s a lot of stuff still linked to OpenSSL 1.0.0 and 0.98.

Without context it's impossible to make firm statements but, having gone
through this a while back (and discovering that less than 1 percent of an
examined list of connections couldn't support current ssl - mainly Apple
hardware), who do you want to protect?  Is it the minority who
won't/can't upgrade or the majority who have?  And, do you have to
protect yourself from liability (regulatory or contractual)?  If the environment
is in any way sensitive (Personally Identifiable Information, Health data,
Credit Card data) then the answer is obvious.
________________________________
From: CentOS <centos-bounces at centos.org> on behalf of Warren Young
<warren at etr-usa.com>
Sent: Friday, October 11, 2019 3:58 PM
To: CentOS mailing list <centos at centos.org>
Subject: [EXTERNAL] Re: [CentOS] easy way to stop old ssl's


Harriscomputer

Register now for the dataVoice User Conference,
October 9-11 at the Gaylord Rockies in Denver, CO.
To register click Here<https://www.harriscomputer.com/en/events/>


Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it is
addressed. This communication may contain information that is proprietary,
privileged or confidential or otherwise legally exempt from disclosure. If you
are not the named addressee, you are not authorized to read, print, retain, copy
or disseminate this message or any part of it. If you have received this message
in error, please notify the sender immediately by e-mail and delete all copies
of the message.





On Oct 11, 2019, at 2:52 PM, isdtor <isdtor at gmail.com>
wrote:
>
>> Yes, breaking changes.  Doing this *will* cut off support for older
browsers.  On purpose.
>
> Old browsers aren't really the problem. Even ff 45 (?) from CentOS5
will happily access a TLSv1.2-only server.
IE 10 and older won?t, though:
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fcaniuse.com%2f%23feat%3dtls1-2&c=E,1,OoDXU9RwckHnPZSdyy1A-Mat1VYd83r6qJeujdFE_9jDKQp4hvmqnE9CbbcsCi5OsTOOx75sM1xfwvskBnYzTm7sNq1P3DnbfLyLhGR491ys6viVqTrf&typo=1
> The problem is user that have old versions of software installed with no
TLSv1.2 support. SVN, python 2.7 scripts, etc.
Also true.  There?s a lot of stuff still linked to OpenSSL 1.0.0 and 0.98.
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos