On 8/8/24 12:46 PM, Clemens Lang wrote:
Hi,
Speaking of LTS distros: RHEL 6.10 supports TLS 1.2.
RHEL 6.10 is not a supported distro, it's Extended Life Cycle ended 1
month and one week ago (30 Jun 2024)
https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates
At what point is a distro not LTS, but a museum piece which we can ignore?
I believe, after it is no longer supported. I also believe the LTS means
that the vendor/creator of the distro will provide the support, and will
make security patches and possibly back-port features if requested. This
is nothing the community should do for them. (I can claim to support a
20 year old version of OpenSSL if I wanted to, but I would not
expect/request the OpenSSL maintainers to fix my issues for me)
What currently supported LTS distro does not support TLS 1.2?
2. Scanning or crawling a wide variety of systems, e.g. by a search
engine indexer, an asset enumeration tool, a security scanner, or during
a pentest.
What good is a search engine index of a webpage no modern browser will connect
to?
It is good for penetration testers, if no normal expected users need to
connect to the service, and only malicious users are expected to connect
to it, it might be beneficial for the security posture to bring it
offline/put it behind a proxy.
The other use cases sound like they’d be done with special tooling anyway, in
which case that can continue to ship an older version of OpenSSL for this
purpose.
Agreed, if an older version of OpenSSL is needed for specific testing
purposes, I can boot up an old live cd in a vm, or download old source
releases and build OpenSSL from source myself.
Regards,
Jens Timmerman
