On Mon, 11 Sep 2017, Philipp Kern wrote: > https://packages.qa.debian.org/o/openssl/news/20170824T211015Z.html seems to > have pushed this onto client applications? I.e. it's no longer hard disabled > but client applications need to explicitly enable them?
Yes, I'm aware of that but Kurt never said that he would be willing to back off from completely disabling it before the buster release and I don't see any benefit in modifying all server applications to re-enable the protocols that we want to support out-of-the box because there are (outside of Debian) old applications that will have to connect to those servers. I understand we need to fix the client applications that we ship in Debian so that they work with TLS 1.2-only servers and for this it might be useful to disable TLS 1.0 and TLS 1.1 by default in unstable for a while. But in Debian testing, we have real end-users (direct and through "rolling" derivatives) and they should not have to be impacted by this experiment IMO. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
