On Wednesday, 14 March 2018 19:53:21 CET Russ Housley wrote: > > On Mar 14, 2018, at 8:39 AM, Hubert Kario <hka...@redhat.com> wrote: > > > > On Tuesday, 13 March 2018 23:16:47 CET Russ Housley wrote: > >> Ted: > >>> There's an easy way to do this, although as a sometime bank security > >>> geek > >>> I would strongly advise you to not do it: keep using TLS 1.2. > >> > >> This is a bogus argument. First, staying with an old protocol version > >> often leads to locking in unmaintained versions of old software. > > > > this is simply not true, the newest versions of OpenSSL, NSS, GnuTLS and > > schannel allow you to disable TLS 1.2 and TLS 1.1 protocol support to > > effectively only support TLS 1.0! > > After TLS 1.3 is approved, I have heard a desire from software maintainers > to drop support for some of the older versions over time. Support for SSL > 3.0 has been dropped in some cases, and for good reasons.
there's a long road from "desire to drop support for TLS 1.0", through "marking the TLS 1.0 support as deprecated", "making the TLS 1.0 support a compile only option" to "removing TLS 1.0 code completely" while sure, both TLS 1.0 and TLS 1.2 likely will be removed from those afore- mentioned libraries at _some_ point, it is disingenuous to suggest it will happen in a matter of just few years, especially for the latter of the two protocols -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
