Date: Thu, 14 May 2015 10:24:18 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <5554BE22.1000407@denninger.net> In-Reply-To: <C6A26209-6DB6-4842-9810-B670E3461AAE@patpro.net> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <555476CB.2010005@ivpro.net> <1431608885.1875421.268665801.1220FE34@webmail.messagingengine.com> <CAKE2PDtM6q14q2BdmB5PNht=Q3Q0VQRh64nh1Lfd9Y9uCryibw@mail.gmail.com> <C6A26209-6DB6-4842-9810-B670E3461AAE@patpro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms070507000503070203090203 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 5/14/2015 10:20, Patrick Proniewski wrote: > On 14 mai 2015, at 16:13, jungle Boogie wrote: > >> On 14 May 2015 at 06:08, Mark Felder <feld@freebsd.org> wrote: >>> TLS 1.0 is dead and is even now banned in new installations according= to >>> the PCI DSS 3.1 standards. Nobody should expect TLS 1.0 to be support= ed >>> by *any* HTTPS site now. >> >> Here, here! We ONLY have 1.0 enabled until the hardware vendor can >> upgrade their software. I'm looking to celebrate the day when we have >> 1.1 and 1.2 enabled. > > That's always the problem with guys like you and me who live in the rea= l world. We can't cope with "what should be dead and no longer used". Dep= recated tomcat/Java/SSL/You-name-it software that you can't just upgrade = because it's used with hardware/software you can't get rid of. > At work we are in the ridiculous state where we have to package old bro= wser + old Java into VMware ThinApp "bubbles" to access production tools.= > > Removing TSL 1.0 is not a good move. It's possible to provide SSL with = TLS 1.2, having protection against protocol downgrade, and still provide = TLS 1.1 and 1.0 for older browsers. > > patpro > _______________________________________________ > I'd love to lock out TLS 1.0 but if you do that anyone still running anything that uses XP cannot connect. There ARE people out there still using that in the wild. Not a huge number, but a material number. On several relatively large systems I monitor the "in the wild" user count for Windows XP is still around 4% of all users to the sites. Same problem with RC4. I'd love to lock that out too, but see above -- that means 4% of the users can't connect (at all.) --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ --------------ms070507000503070203090203 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGXzCC BlswggRDoAMCAQICASkwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEg U3lzdGVtcyBMTEMgQ0EwHhcNMTUwNDIxMDIyMTU5WhcNMjAwNDE5MDIyMTU5WjBaMQswCQYD VQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExMQzEe MBwGA1UEAxMVS2FybCBEZW5uaW5nZXIgKE9DU1ApMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAuYRY+EB2mGtZ3grlVO8TmnEvduVFA/IYXcCmNSOC1q+pTVjylsjcHKBcOPb9 TP1KLxdWP+Q1soSORGHlKw2/HcVzShDW5WPIKrvML+Ry0XvIvNBu9adTiCsA9nci4Cnf98XE hVpenER0qbJkBUOGT1rP4iAcfjet0lEgzPEnm+pAxv6fYSNp1WqIY9u0b1pkQiaWrt8hgNOc rJOiLbc8CeQ/DBP6rUiQjYNO9/aPNauEtHkNNfR9RgLSfGUdZuOCmJqnIla1HsrZhA5p69Bv /e832BKiNPaH5wF6btAiPpTr2sRhwQO8/IIxcRX1Vxd1yZbjYtJGw+9lwEcWRYAmoxkzKLPi S6Zo/6z5wgNpeK1H+zOioMoZIczgI8BlX1iHxqy/FAvm4PHPnC8s+BLnJLwr+jvMNHm82QwL J9hC5Ho8AnFU6TkCuq+P2V8/clJVqnBuvTUKhYMGSm4mUp+lAgR4L+lwIEqSeWVsxirIcE7Z OKkvI7k5x3WeE3+c6w74L6PfWVAd84xFlo9DKRdU9YbkFuFZPu21fi/LmE5brImB5P+jdqnK eWnVwRq+RBFLy4kehCzMXooitAwgP8l/JJa9VDiSyd/PAHaVGiat2vCdDh4b8cFL7SV6jPA4 k0MgGUA/6Et7wDmhZmCigggr9K6VQCx8jpKB3x1NlNNiaWECAwEAAaOB9DCB8TA3BggrBgEF BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly9jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNV HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8W HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTFHJQt6cloXBdG1Pv1 o2YgH+7lWTAfBgNVHSMEGDAWgBQkcZudhX383d29sMqSlAOh+tNtNTAdBgNVHREEFjAUgRJr YXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcNAQELBQADggIBAE9/dxi2YqjCYYhiybp4GKcm 7tBVa/GLW+qcHPcoT4dqmqghlLz8+iUH+HCJjRQATVGyMEnvISOKFVHC6aZIG+Sg7J8bfS4+ fjKDi9smRH2VPPx3bV8+yFYRNroMGHaPHZB/Xctmmvc+PZ9O2W7rExgrODtxIOB3Zs6wkYf+ ty+9r1KmTHlV+rRHI6timH1uiyFE3cPi1taAEBxf0851cJV8k40PGF8G48ewnq8SY9sCf5cv liXbpdgU+I4ND5BuTjg63WS32zuhLd1VSuH3ZC/QbcncMX5W3oLXmcQP5/5uTiBJy74kdPtG MSZ9rXwZPwNxP/8PXMSR7ViaFvjUkf4bJlyENFa2PGxLk4EUzOuO7t3brjMlQW1fuInfG+ko 3tVxko20Hp0tKGPe/9cOxBVBZeZH/VgpZn3cLculGzZjmdh2fqAQ6kv9Z9AVOG1+dq0c1zt8 2zm+Oi1pikGXkfz5UJq60psY6zbX25BuEZkthO/qiS4pxjxb7gQkS0rTEHTy+qv0l3QVL0wa NAT74Zaj7l5DEW3qdQQ0dtVieyvptg9CxkfQJE3JyBMb0zBj9Qhc5/hbTfhSlHzZMEbUuIyx h9vxqFAmGzfB1/WfOKkiNHChkpPW8ZeH9yPeDBKvrgZ96dREHFoVkDk7Vpw5lSM+tFOfdyLg xxhb/RZVUDeUMYIE4zCCBN8CAQEwgZYwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9y aWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBMTEMxHDAa BgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0BCQEWE0N1ZGEgU3lzdGVt cyBMTEMgQ0ECASkwCQYFKw4DAhoFAKCCAiEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTUwNTE0MTUyNDE4WjAjBgkqhkiG9w0BCQQxFgQU8urPWZkRbmgT BWNAZTXQhr+RN+AwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAEC MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBKDCBpwYJKwYBBAGCNxAEMYGZMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBAgEpMIGpBgsqhkiG9w0BCRACCzGBmaCBljCBkDELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQ Q3VkYSBTeXN0ZW1zIExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqG SIb3DQEJARYTQ3VkYSBTeXN0ZW1zIExMQyBDQQIBKTANBgkqhkiG9w0BAQEFAASCAgCH6vvO gvffS1wWvfyUCO8bULNTxj37Nhuw2o5jWmkOwWYLb+JNhDCRb1yAEoJYGhFQT/vgiobBSUDX lacI3AspZdf9JPhN5/eQfEXHpzmB4yQD3yZm9bkVpOKVMxSBrOZUkNuYRIRg5x4tWZKFnWKr QTwA/speaESo5YjaJU8U2Ov8hBfvwAAfXykms5JjHvFXU0CVH9H5Y9BfLJzbWlawusSRVoJN d5JFhP5DKewiVWkYJdJPRTzheiqHxCmoi7AFsKwof+1O2FdKgkydWCSohXE33ozgJ1Sd81b/ 9Rh1Zly0o3xerkbXNhH4+S/IsdXo5YfpMYfHGHiCBlRhuOcqcXv1yQ1NytBrZ+a+rrYn0RZu d+QiQGjP4CNPIib0pcHp/dgoFEVo+9NG8Se8Wng7J+AwcOBvCGdMZfo+6D72XekcEumspDMf mFU761EYhEVi0fbdo/fEr7yRmZA0M1A2lwoV8QgxANMI7pdkmmzbFC9/tMosDbDnHJNT2TFy IdWBPJhK/+bxr4kA3fajzm8SfXjsaVQ810ZQaZadLhKkDOKik7xLfqN6KW+iHva2bnnGwoeo W+jhRHN56zAVkIpQG6rcKe9xthVTd06N0SVPFWMGesdKN903xMbvRTy7NhFhhldec/H0ycSs RanXe8UXeQm6U9I719S4TXX4Q08JRwAAAAAAAA== --------------ms070507000503070203090203--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5554BE22.1000407>