On Mon, Aug 07, 2017 at 08:35:52PM +0200, Kurt Roeckx wrote: > On Mon, Aug 07, 2017 at 05:22:51PM +0200, Joerg Jaspert wrote: > > I wonder if there is a middle way that ensures that all new stuff does > > go TLS1.2 (or later, whenever), but does allow older stuff still to > > work. Which isnt the case if they are just disabled. > > I could change the default settings to set the minimum supported > version as TLS 1.2. That is, act like > SSL_CTX_set_min_proto_version() was called with TLS1_2_VERSION. > That would allow applications to override this this by calling > SSL_CTX_set_min_proto_version(). But then those are new > functions in 1.1.0 and they probably aren't supported by many > applications.
I have a patch for that at: https://github.com/openssl/openssl/pull/4128 I might upload this soon. The intention is still to ship Buster with TLS 1.0 and 1.1 completly disabled. Kurt