On Sun, Aug 06, 2017 at 06:03:30PM +0200, Sebastian Andrzej Siewior wrote: > On 5 August 2017 23:31:33 CEST, Kurt Roeckx <[email protected]> wrote: > > >I planned to break things by disabling TLS 1.0 and 1.1, which I > >might upload soon. I guess I can fix that at the same time. > > Do you intend a transition like we had for SSLv2 removal or do you plan just > to disable it? I remember a few packages using TLSv functions instead of > SSLv23 which is what should be used (and those will end up with nothing).
I'm not sure what to do with the TLSv* methods. They have been deprecated and will be removed in 1.2. I could make them return NULL, or I could keep them working. I think I'm currently going for just making them turn NULL. I don't plan to remove any symbols, so there should be no need to change the soname. > Removing TLS1.0 and TLS1.1 sounds early but given that we aim Buster it looks > alright. My web server serves 1.2 only which only rejects a few bots of > questionable origin. My email server logs a few 1.0 legitimate connections > but that's how it is. They usually fallback to plain connection. Shouldn't we > announce it on D-D-A? Yes, the aim is to have this for Buster by default. And we can always revert this if too much is broken. But I think Buster is far enough in the future to try and do this now. Kurt

