On 2017-09-11 12:30:30 [+0200], Raphael Hertzog wrote: > Yes, I'm aware of that but Kurt never said that he would be willing to > back off from completely disabling it before the buster release and > I don't see any benefit in modifying all server applications to re-enable > the protocols that we want to support out-of-the box because there > are (outside of Debian) old applications that will have to connect to > those servers.
My understanding is that it will stay as-is and every package that needs TLS < 1.2 needs to add an option and the metioned function to use the lower TLS version. The changes Kurt asked about is something that openssl upstream supports and is something that openssl 1.1 considers the right way of doing things (in contrast to the disable TLS-version X thingy which are marked deprecated or going to…). > I understand we need to fix the client applications that we ship in Debian > so that they work with TLS 1.2-only servers and for this it might be > useful to disable TLS 1.0 and TLS 1.1 by default in unstable for a while. as I said, TLS 1.[01] is supported in unstable if the *set_min_proto_version() is used. I think in the meantime offline imap has been fixed and I sent something for dovecot (but know about its status). > But in Debian testing, we have real end-users (direct and through > "rolling" derivatives) and they should not have to be impacted by this > experiment IMO. So what problems do those users see? If the package lacks 1.2 support then it should be reported & fixed. If the package requries <1.2 support because the remote side can't be changed then this should reported and patched as well. Feel free to Cc the list so I can look and maybe make a patch if I have some spare time. I personaly don't see a reason to keep this bug open since it is unlikely that things change here. Also it is unwise to make such a change two days before the release of Buster. *Now* we have the time to act. > Cheers, Sebastian
