Source: openssl Version: 1.1.0f-5 Severity: serious Hello Kurt,
I looked back at the debian-devel discussion and it seems to me that the majority of persons who expressed themselves (including Moritz Mühlenhoff of the Debian security team) believe that buster should ship with TLS 1.0 and TLS 1.1 enabled. Given this, I would like to request you to make sure that Debian testing has a version of openssl with TLS 1.0 and TLS 1.1 enabled. The rough consensus seems to be that it's ok for you to use Debian unstable as a test-bed for your experiment to disable TLS 1.0 and TLS 1.1. While that might not be practical to manage when you have to push an update to testing, it's a burden that you should accept since you believe that Debian experimental will not give enough exposure. Please do listen to your fellow developers. Thank you. Cheers, PS: I'm filing this because I would like to not have to fork OpenSSL for Kali. It's counter-productive to go too fast in deprecating old protocols. You will only get less users using the official Debian package with all the risks it involves. Or at least I would like a system-wide flag (in a configuration file?) to let me re-enable old protocols easily. -- System Information: Debian Release: buster/sid APT prefers oldoldstable APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- no debconf information