-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello!
Thanks Petter, for reporting this and helping me debug it today. I can confirm that just allowing TLSv1 would allow connections to the existing PageKite infrastructure. Upgrading the server in question is increasingly becoming a priority for me, I hope to get this sorted out relatively soon. But this is certainly going to be an issue for others as well. The idea that any user of the next version of Debian will be unable to connect to anything using TLSv1 or TLSv1.1, strikes me as a bit excessive. These protocols have issues, but AFAIK they are NOT so broken as to require blacklisting. Please correct me if I'm wrong. These defaults would make sense on web servers, where we know the mainstream clients are updated and patched promptly - but Debian is used in many other environments, for many other tasks where that is simply not the case. Debian users are NOT always in a position to force upgrades upon all the systems they need to communicate with. So I strongly urge you to reconsider this policy. Is it really necessary? Do the security benefits justify the breakage? If security were the only concern, we'd all just switch our computers off and unplug them. There has to be a balance. Responding to the comments above re SSLv3: given the choice between supporting SSLv3 and falling back to plain-text, I'll choose to support SSLv3 any day. Due to some legacy clients, that was my reality. The idea that everyone should just upgrade everything is a luxury not afforded to people who are supporting diverse hardware in the field - and for better or worse, PageKite was embedded in devices that could not easily be upgraded. I am hoping there are few enough of them left in the wild that I can drop SSLv3 entirely, and soon - because given current Debian policies, I'm now being forced to choose between supporting them and supporting Debian. I'll probably choose Debian, but it won't be without a fair bit of cursing and frustration... The need to support legacy devices was actually one of the main reasons of why I haven't upgraded that server: at some point Debian chose to remove SSLv3 support from OpenSSL at compile time, thus preventing me from upgrading, and forcing me to keep a bunch of my servers at obsolete versions of Debian. So, I don't have support for TLSv1.2 on that machine (and a few others), because maintainers of this package forced me to choose one or the other (maintaining my own forked OpenSSL packages was more work than I could reasonably handle). I do wish this had been handled differently, and I'm very glad this time it's just a config file! That said.... thanks for all your hard work on this! I know everyone's doing their best, even though I rather strongly disagree with some of your choices. Thanks for reading! :-) - -- PageKite.net lets your personal computer be part of the web -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEETBSz4pzXkOHlSFMhjgA3FgDPlJEFAlv/SogACgkQjgA3FgDP lJHPDgf/fO6nKz3BQAa5E82BpCbsasRpu3mOWD0IIbPhjYG54GLmgKgzzgnV2K7l fNgIiCSxigt/JMxt8u0dADYdprM4Nk+ihN7BHrz1P7SOXGdIKWkiZw9Ddmrg7GtM UcGl9lwBvDWPKILz7Ug1EH5QP66AhIi4M1WLlHoq8w9z53U+aOvZnLANO4O4mK1T 4CO2DH2nD0GWmLi9YmFNTxCtlTByJgaZ4dMbwFHbGd6H0yORspbOc7i3REcULWvG 9S00Zve9Lsm4rH9XKMPdPSxyxHeEdYdKOPfLczU7rOz6rVynL3sdCt0KAfeUIQAu ceIFLBRMiZSzba0En3+ZdPUbrzvfwA== =cLaF -----END PGP SIGNATURE-----
