On 14 mai 2015, at 16:13, jungle Boogie wrote:> On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote: >> >> TLS 1.0 is dead and is even now banned in new installations according to >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported >> by *any* HTTPS site now. > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > upgrade their software. I'm looking to celebrate the day when we have > 1.1 and 1.2 enabled.That's always the problem with guys like you and me who live in the real world. We can't cope with "what should be dead and no longer used". Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade because it's used with hardware/software you can't get rid of. At work we are in the ridiculous state where we have to package old browser + old Java into VMware ThinApp "bubbles" to access production tools. Removing TSL 1.0 is not a good move. It's possible to provide SSL with TLS 1.2, having protection against protocol downgrade, and still provide TLS 1.1 and 1.0 for older browsers. patpro
On 5/14/2015 10:20, Patrick Proniewski wrote:> On 14 mai 2015, at 16:13, jungle Boogie wrote: > >> On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote: >>> TLS 1.0 is dead and is even now banned in new installations according to >>> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported >>> by *any* HTTPS site now. >> >> Here, here! We ONLY have 1.0 enabled until the hardware vendor can >> upgrade their software. I'm looking to celebrate the day when we have >> 1.1 and 1.2 enabled. > > That's always the problem with guys like you and me who live in the real world. We can't cope with "what should be dead and no longer used". Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old browser + old Java into VMware ThinApp "bubbles" to access production tools. > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with TLS 1.2, having protection against protocol downgrade, and still provide TLS 1.1 and 1.0 for older browsers. > > patpro > _______________________________________________ >I'd love to lock out TLS 1.0 but if you do that anyone still running anything that uses XP cannot connect. There ARE people out there still using that in the wild. Not a huge number, but a material number. On several relatively large systems I monitor the "in the wild" user count for Windows XP is still around 4% of all users to the sites. Same problem with RC4. I'd love to lock that out too, but see above -- that means 4% of the users can't connect (at all.) -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2944 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20150514/c1093fe3/attachment.bin>
On Thu, May 14, 2015, at 10:20, Patrick Proniewski wrote:> On 14 mai 2015, at 16:13, jungle Boogie wrote: > > > On 14 May 2015 at 06:08, Mark Felder <feld at freebsd.org> wrote: > >> > >> TLS 1.0 is dead and is even now banned in new installations according to > >> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be supported > >> by *any* HTTPS site now. > > > > > > Here, here! We ONLY have 1.0 enabled until the hardware vendor can > > upgrade their software. I'm looking to celebrate the day when we have > > 1.1 and 1.2 enabled. > > > That's always the problem with guys like you and me who live in the real > world. We can't cope with "what should be dead and no longer used". > Deprecated tomcat/Java/SSL/You-name-it software that you can't just > upgrade because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old > browser + old Java into VMware ThinApp "bubbles" to access production > tools. > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with > TLS 1.2, having protection against protocol downgrade, and still provide > TLS 1.1 and 1.0 for older browsers. >I'm in the same boat right now fighting with a vendor who can't get their software to work beyond Java 1.7u45 (Java 7 is EoL ...) You can and will get rid of it when the cost of maintaining that awful, insecure software stack is more than throwing it away and cutting your losses. There is a righteous push right now for security and for new development practices: release early, release often, keep your software tested and working against modern software and libraries. This creates work for corporations and increases the cost of maintaining their cash cows. It's going to cut into their bottom lines. They're going to get angry. But their software is going to be better for it. Right now it's too easy to hack and compromise because the entire internet is lazy. Bad security practices have completely poisoned the well and it's time to forcibly drain it and start anew. It's going to hurt, and it's not going to be fun for grandma because someone needs to pick up the slack and make keeping up to date and secure computing a thoughtless task. For example, Windows 10 looks to eventually be a rolling release; strategies like that will help keep end-users up to date and secure. Personally I agree with phk that we don't need https *everywhere*. However, if you're going to implement crypto you need to do it right.
Patrick Proniewski <patpro at patpro.net> wrote:> That's always the problem with guys like you and me who live in the real world. We can't cope with "what should be dead and no longer used". Deprecated tomcat/Java/SSL/You-name-it software that you can't just upgrade because it's used with hardware/software you can't get rid of.FreeBSD needs more mature code management to restrict idealists, eg: - src/ bsd tar : bad code rushed in too soon to replace Gnu (I filed fixes). - ports/mail/majordomo : Deleted as mature! An immature reason. - ports/print/acroread9 deleted for security (so use chroot) & as Adobe support ceased (so use compat/). Government would fine me lots of money & close down the company if I don't continue use of it. - Those last two I will need to maintain outside FreeBSD.org. Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Reply Below as a play script. Send plain text, Not quoted-printable, HTML, or base64.