> On 17 Jul 2019, at 22:36, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote: > > > On 7/17/19 3:01 AM, Matus Honek wrote: >> I think we cannot remove it. Setting the MIN version is a workaround >> for *old clients* not even supporting current NSS' default min. >> Setting up MAX version is a workaround for *broken clients* thinking >> they can support something they announced but for some reason fail to >> work with such a version. I believe most of deployments have some >> really legacy software of which not a small amount behaves weirdly >> enough these two options save lives; I have seen these issues several >> times. > Did you see anyone still using SSL3? The min is good to allow a sysadmin to clamp the min version up to something like TLS1.2 rather than TLS 1.0 and 1.1 which both have known issues. So Ithink we should leave this, but default to the NSS system wide crypto, and document and advise to use NSS systemd wide crypto policy instead. >> >> On Tue, Jul 16, 2019 at 10:24 PM Mark Reynolds <mreynolds@xxxxxxxxxx> wrote: >>> So some time ago when the poodlebleed vulnerability came out in SSL3 we >>> added a way to set the minimum and maximum SSL/TLS versions the server >>> would accept (e.g. TLS1.1 <--> TLS1.2). Current versions of NSS >>> already use this range by default. I would like to remove/deprecate the >>> sslVersionMin/Max and just use what NSS uses by default (which should be >>> the system wide crypto policy). >>> >>> Is anyone actually using sslVersionMin/Max? Do we really have a need >>> for it anymore? >>> >>> -- >>> >>> 389 Directory Server Development Team >>> _______________________________________________ >>> 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx >> >> > -- > > 389 Directory Server Development Team > _______________________________________________ > 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-devel mailing list -- 389-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
