Clemens Lang wrote:
On 7. Aug 2024, at 19:48, Solar Designer <so...@openwall.com> wrote:
1. Hosting a public server that's meant to be usable by the widest
audience possible, including from both up-to-date and older systems.
For example, a website should display in latest web browsers, but
command-line downloads from the same server should also work from old
systems (e.g., running LTS distros).
Speaking of LTS distros: RHEL 6.10 supports TLS 1.2.
At what point is a distro not LTS, but a museum piece which we can ignore?
What currently supported LTS distro does not support TLS 1.2?
Legacy is a long tail and there is a big difference between
communications on the open Internet and support for archaic protocol
versions to talk to older devices on a LAN. Disabling support by
default is one thing; removing it entirely is another and much more serious.
2. Scanning or crawling a wide variety of systems, e.g. by a search
engine indexer, an asset enumeration tool, a security scanner, or during
a pentest.
What good is a search engine index of a webpage no modern browser will connect
to?
A user may have an older browser around, the page may also be available
via plain HTTP (very likely if the server is that old), or the search
engine might offer a cached copy. For a specific crawler that could
have use for this scenario, consider the Internet Archive Wayback Machine.
The other use cases sound like they’d be done with special tooling anyway, in
which case that can continue to ship an older version of OpenSSL for this
purpose.
Presumably that "older version of OpenSSL" would be unmaintained, which
means that it is likely to accumulate known exploits over time. This
could be *very* bad for an asset enumeration tool or security scanner
that could encounter a malicious server that insists on an old protocol
version in order to exploit that older library and crack the scanner host!
-- Jacob
