> Ubuntu 12.04 contains openssl 1.0.1, which supports TLS v1.2. My bad.... I should have been using `apt-cache show` instead of `ldd`.
> Unfortunately, because of the large number of sites which incorrectly handled > TLS v1.2 negotiation, we had to disable TLS v1.2 on the client. > > See the following bugs for more information: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665452 I think Marko is probably right - it might be time to revisit some of these decisions made to help the users since the reasons appear no longer valid. From the list of broken sites provided in the bug reports above: Mediafire: OK per Marko Saleforce now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=salesforce.com Facebook now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=graph.facebook.com Payapl now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com Sourceforge now supports TLSv1.2: https://www.ssllabs.com/ssltest/analyze.html?d=sourceforge.net As for the broken libraries, such as Python and libcurl, they need to fix their stuff. I can't speak to Python (I nothing about the developers or development process). But I know Daniel at the Curl project l is a awesome leader, the project has a great engineering process and the library performs to expectations. > Browsers use NSS, which doesn't have the same compatibility issues OpenSSL > has. Not all clients are browsers. Here's from a dev machine *not* loaded with anything other than compilers and associated tools: $ apt-cache rdepends openssl | wc -l 122 I imaging the number would increase if IRC, chat clients and other messaging software was added. The real problem here is philosophical. It includes the "common case" is taken and not the "worse case". Some folks depend upon these protocols for their lives. Those people would include dissidents under oppressive regimes. We have a moral obligation to get it right for folks who have more to lose than we do. Personally (as a US citizen), I'm embarrassed by all the US human rights violations perpetrated by my country (privacy is a right in many non-US countries in the world). ... Unless, of course, someone thinks Diginotar was a massive spear phishing ploy and Snowden was lying. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1256576 Title: Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
