On Aug 7, 2017 8:23 AM, "Joerg Jaspert" <jo...@debian.org> wrote:
On 14757 March 1977, Kurt Roeckx wrote:
> This will likely break certain things that for whatever reason
> still don't support TLS 1.2. I strongly suggest that if it's not
> supported that you add support for it, or get the other side to
> add support for it.
In many cases this isnt possible.
I can think of a lot of "enterprise" tools that have been built for older
versions of Java. In most cases, the vendors have no interest in doing
anything required to get away from a TLSv1.0 requirement. I'm also aware
some of the well-known search engine bots that support only TLSv1.0.
Is there an actual need for the removal of TLS v1.{0,1}? Are either
considered broken or unsupported by upstream? If not, I'd be much more
concerned about what's going to start breaking by making this change.
Shouldn't a change like this at least start with packages such as nginx,
apache, etc. and seeing if they can drop those from the default
configuration? Heck, I'm sure we could even include a comment along the
lines of "if you need to re-enable older TLS versions due to application
compatibility, please respond to bug #123".
I'm not sure what exactly would be a better idea, but disabling globally
with no easy workaround sounds like a recipe for pain and very angry users.
