Dear List, right now I struggle with some issues about supported encryption protocols in Debian 6 LTS.
The technical recommendation of BSI (See 1.) for TLS is stating, that TLSv1.0 isn't recommended any more starting in 2015. The same document says, that TLSv1.1 may be used in 2015 rsp. 2017+ with some restrictions. Now, Debain 6 LTS has OpenSSL that only supports TLSv1.0 and has GnuTLS that supports TLSv1.1, but without PFS. Regarding to the (legal) requirements of the BayLDA (See 2.) mail servers must support STARTTLS and PFS (Perfect Forward Secrecy) and the Heartbleed bug must be fixed. (See 3.) Combining these we find, that Debian 6 LTS could not be used in 2015 any more, because in OpenSSL (which is used as a stardard library for encryption in most applications) TLSv1.2 (rsp. TLSv1.1 with some restrictions) is missing and in GnuTLS PFS is missing. But Ubuntu 12 LTS has OpenSSL which supports TLSv1.2 and PFS. Furthermore I discovered mail services of my clients that only support TLSv1.2 - and because of this, encrypted e-mail communication fails. And, from IT security point of view, I can only recommend a service or a software to my clients that obeys the protective legal requirements. Additionally I think that the supported encryption protocol is a security issue! To sum this up: we need Debian 6 LTS with TLSv1.2 (i.e. with a recent OpenSSL implemenation). With best regards *Uwe Disch* Geschäftsführer Disch Services GmbH E-Mail: mailto:[email protected] Fon: 09123. 966 25 12 Internet: http://disch-services.de Impressum: http://disch-services.de Pflichtangaben gemäß §35a Abs. 1 S. 1 GmbHG u.a.: Vertretungsberechtigter Geschäftsführer: Dipl.-Ing. (FH) Uwe Disch Firma der Gesellschaft: Disch Services GmbH Rechtsform der Gesellschaft: GmbH Sitz der Gesellschaft: Lauf Registergericht: Amtsgericht Nürnberg HRB 18 503 USt.-IdNr.: DE 217 813 642 Ingenieurbüro Disch: lösungsorientiert, technologisch, innovativ. http://disch-online.de Teilnehmer an der Allianz für Cyber-Sicherheit <https://www.allianz-fuer-cybersicherheit.de>. Hiermit widerspreche ich jeglicher Nutzung oder Übermittlung meiner Daten, die über diesen Kontakt hinausgeht, gleichgültig zu welchen Zwecken sie erfolgt. Insbesondere widerspreche ich der Nutzung oder Übermittlung meiner Daten für Werbezwecke oder für die Markt- oder Meinungsforschung. References: 1. Bundesamt für Sicherheit in der Informationstechnik: https://www.bsi.bund.de/DE/Publikationen/Mindeststandards/SSL-TLS-Protokoll/SSL-TLS-Protokoll_node.html 2. Bayerisches Landesamt für Datenschutzaufsicht:http://www.lda.bayern.de 3. http://www.lda.bayern.de/onlinepruefung/emailserver.html Am 07.10.2014 um 15:10 schrieb Raphael Hertzog: > Hello Uwe, > > you probably know the Debian LTS project[1] which aims to provide > 5 years of security updates to all Debian releases. As part of this > project, we did setup an offer so that companies benefiting from this > extended support can contribute with financial support. By pooling > resources of multiple companies, we hope to be able to sustain this nice > project. > > At this time, the project is well underway but we do not have yet > achieved our goal of funding the equivalent of a full-time position: > > http://www.freexian.com/services/debian-lts.html > > Thanks to the support of fifteen companies, we have 42 hours sponsored > each month. This is not enough yet, we want at least to double this > amount, and ideally quadruple it. > > As (a) Debian consultant(s) listed on https://www.debian.org/consultants/, > you are in touch with companies (and other organizations) using Debian > (be it customers, partners, or yourself), and you could effectively > relay our message. > > If — like us — you believe that the long term support of Debian is > important for its credibility and its future, I invite you to identify > the Debian-using companies/organizations that you know and that might > contribute to the long term support of Debian. From there on, > you can either contact those entities yourself (you can put > [email protected] in copy of your emails to keep us informed), > or you can give us the details of the company and of a possible > contact so that we can offer them to participate to the Debian > LTS project. > > You will find below[2] an email template that you can reuse to > introduce the Debian LTS project and convince companies to participate. > > Thank you in advance for your help! If each Debian consultant convinces > a company to join the project, we will quickly exceed our goals. > > Regards, > Raphaël Hertzog <[email protected]> > > [1] http://wiki.debian.org/LTS > [2] Email template: > ---- > Hello, > > Debian GNU/Linux is an important piece of your IT infrastructure that you > get for free. Debian would probably be even more valuable to you if > it benefited from 5 years of support: no need to upgrade every 2 years, > you can migrate to newer version when you upgrade the hardware, etc. > > This is exactly what the Debian project is currently trying to do > but they are short on volunteers to achieve this. To remedy this, > a few Debian developers have setup an offer so that all companies can > easily contribute to this project: > http://www.freexian.com/services/debian-lts.html > > This initiative has the support of the Debian project: > https://www.debian.org/News/2014/20140616 > > If you ever wondered how you could give something back to the Debian project, > this is the perfect opportunity. In a single operation, you support > the work of some Debian contributors and you help them deliver more value to > you with proper Long Term Support of all Debian releases. > > Are you interested to contribute to this project? > > If yes, please fill in the form at > http://www.freexian.com/services/debian-lts-subscription-form.pdf and send > it back to [email protected]. > > If you have any questions about this offer, please ask them to Raphaël Hertzog > <[email protected]> who is coordination this operation. > > Thank you very much for your support! > ---- > > >
smime.p7s
Description: S/MIME Cryptographic Signature
