On Sun, Aug 06, 2017 at 06:03:30PM +0200, Sebastian Andrzej Siewior wrote:
> On 5 August 2017 23:31:33 CEST, Kurt Roeckx <k...@roeckx.be> wrote:
> >I planned to break things by disabling TLS 1.0 and 1.1, which I
> >might upload soon. I guess I can fix that at the same time.
> Do you intend a transition like we had for SSLv2 removal or do you plan just
> to disable it? I remember a few packages using TLSv functions instead of
> SSLv23 which is what should be used (and those will end up with nothing).
I'm not sure what to do with the TLSv* methods. They have been
deprecated and will be removed in 1.2. I could make them return
NULL, or I could keep them working. I think I'm currently going
for just making them turn NULL.
I don't plan to remove any symbols, so there should be no need to
change the soname.
> Removing TLS1.0 and TLS1.1 sounds early but given that we aim Buster it looks
> alright. My web server serves 1.2 only which only rejects a few bots of
> questionable origin. My email server logs a few 1.0 legitimate connections
> but that's how it is. They usually fallback to plain connection. Shouldn't we
> announce it on D-D-A?
Yes, the aim is to have this for Buster by default. And we can
always revert this if too much is broken. But I think Buster is
far enough in the future to try and do this now.