Den 02.02.15 15.54, skrev Disch Services GmbH:
Dear List,
Hi there!
Please note that what I write are my impressions and opinions, and not
any official statement regarding what LTS can or should support. I'm not
in a position to make such statements, either.
right now I struggle with some issues about supported encryption
protocols in Debian 6 LTS.
The technical recommendation of BSI (See 1.) for TLS is stating, that
TLSv1.0 isn't recommended any more starting in 2015. The same
document says, that TLSv1.1 may be used in 2015 rsp. 2017+ with some
restrictions.
Now, Debain 6 LTS has OpenSSL that only supports TLSv1.0 and has
GnuTLS that supports TLSv1.1, but without PFS.
Yep, this is a problem.
Regarding to the (legal) requirements of the BayLDA (See 2.) mail
servers must support STARTTLS and PFS (Perfect Forward Secrecy) and
the Heartbleed bug must be fixed. (See 3.)
Combining these we find, that Debian 6 LTS could not be used in 2015
any more, because in OpenSSL (which is used as a stardard library for
encryption in most applications) TLSv1.2 (rsp. TLSv1.1 with some
restrictions) is missing and in GnuTLS PFS is missing.
For your purposes, I'd say your analysis is correct: Debian Squeeze
should not be used, except with a backported OpenSSL 1.x.
The problem with that is that to backport OpenSSL 1.x means also
backporting newer versions of packages (I don't recall which or how
many, sorry) that have been programmed with OpenSSL 0.9.x in mind.
Establishing exactly which packages these are, and to which extent they
merely need to be recompiled or also need to be backported, is a pretty
big task, and I suspect it's way out of scope for the LTS project.
But Ubuntu 12 LTS has OpenSSL which supports TLSv1.2 and PFS.
Debian Squeeze was feature-frozen in August 2010, one and a half year
before Ubuntu 12.04 LTS. That is, it was feature-frozen while Ubuntu
10.04 was the current Ubuntu version.
If you want to compare Ubuntu 12 LTS with a Debian release, the closest
we've got is Wheezy.
Furthermore I discovered mail services of my clients that only support
TLSv1.2 - and because of this, encrypted e-mail communication fails.
And, from IT security point of view, I can only recommend a service or
a software to my clients that obeys the protective legal requirements.
Additionally I think that the supported encryption protocol is a
security issue!
To sum this up: we need Debian 6 LTS with TLSv1.2 (i.e. with a recent
OpenSSL implemenation).
I agree that it would be nice, but the writing has been on the wall
regarding which Debian release you should look to for TLS and PFS
support since Wheezy was frozen in 2012.
I think you'd be better served by migrating to Wheezy or Jessie.
--
Cheers,
Jan
