I don't think outputting to stderr is feasible as OpenSSL might be used in a use case that has no tty connected. Likewise there is no guarantee that syslog will exist.
What would likely be reasonable would be a two fold approach: 1) Issue a warning on build if TLS1.1/1.0 were enabled at build time (or some other build time notification) 2) augment openssl version (or other openssl applet) to indicate that TLS1.1/1.0 support is built in but is deprecated On Tue, Aug 6, 2024 at 11:17 AM Marco Moock <[email protected]> wrote: > Am Tue, 6 Aug 2024 05:02:14 -0400 > schrieb Neil Horman <[email protected]>: > > > 1) Are distributions/users comfortable with this approach in the time > > frame proposed? > > As a user, this is acceptable for me, but I know there are still > machines outside that only offer such old versions. > Some of them can't be upgraded easily because the vendor doesn't > provide any new versions. > > > 3) If the deprecated protocols are re-enabled, what would constitute a > > reasonable warning mechanism to inform users that these protocols are > > going away at some point in the future to pressure users to update to > > a newer, more secure protocol? > > Is it reasonable to output that on STDERR any time those protocols are > used? > > Maybe log to syslog? >
