> On Sep 13, 2017, at 8:08 PM, Bruno Haible <br...@clisp.org> wrote:
>
> Paul Eggert wrote:
>> When it doesn't work, it's because I use Firefox configured
>> with security.tls.version.min set to 2, which means to use TLS 1.1 or
>> later,
>
> Well, that's a non-default configuration of Firefox :-)
>
>> and whatever lists.gnu.org clone I happen to contact is
>> old-fashioned and supports TLS 1.0 at best.
>
> Indeed, the SSL report of ssllabs.com for lists.gnu.org (208.118.235.17)
> says that the server supports only TLS 1.0.
>
>> No big deal; I wouldn't change the URLs back to HTTP as I expect the
>> matter will be fixed sooner or later.
>
> Even if it doesn't get fixed soon: I think it is better if people access
> a server over HTTPS with TLS 1.0, rather than with HTTP and no encryption
> at all. Even if ssllabs.com explains [1] that "TLS 1.0 is insecure".
So why not force proper software? Have the server require TLS 1.2, disable
HTTP. Those who have clients that can't cope, let them sort it out. It
doesn't make sense to implement insecure mechanisms to work around people who
don't want to use hte right software.
paul
