On Tue, Jun 19, 2018 at 4:48 PM, Tomas Hozza <tho...@redhat.com> wrote: > > > On 19.06.2018 13:20, Loganaden Velvindron wrote: >> On Tue, Jun 19, 2018 at 3:18 PM, Tim Rühsen <tim.rueh...@gmx.de> wrote: >>> On 06/19/2018 12:44 PM, Loganaden Velvindron wrote: >>>> Hi All, >>>> >>>> As per: >>>> https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00 >>>> >>>> Attached is a tentative patch to disable TLS 1.0 and TLS 1.1 by >>>> default. No doubt that this will cause some discussions, I'm open to >>>> hearing all opinions on this. >>>> >>> >>> Good idea for the public internet. >>> >>> IMO there are too many 'internal' devices / hardware that are not >>> up-to-date and impossible to update. >>> >>> What about amending the patch so that we apply it only to public IP >>> addresses ? >> >> This sounds reasonable. >> >>> >>> And even then - we should not just 'fail' on older servers but tell the >>> user why wget fails and what to do about it. In the end, the user is >>> responsible and in control. >> >> Yes, giving some info to the user would be good too. >> I will update the patch. > > Hi. > > When doing the change, please make sure that you change also the gnutls > implementation. Some distributions (e.g. Fedora) compile wget with gnutls > instead of openssl. I expect that the behavior should be consistent > regardless of the crypto library that is being used. >
Yes, will do. Thanks for pointing this out. > Regards, > Tomas > >>> >>> Regards, Tim >>> >> > > -- > Tomas Hozza > Associate Manager, Software Engineering - EMEA ENG Core Services > > PGP: 1D9F3C2D > UTC+1 (CET) > Red Hat Inc. http://cz.redhat.com