Not just web sites. Changes in Firefox and Chrome have already made working with embedded devices such as DRAC and storage servers nearly impossible. IMO there needs to be a fallback option to still allow access to "insecure" sites that still use TLS 1.0 or older certificates that still use SHA-1. On 06/02/2018 05:57 AM, Christian Stadelmann wrote: >> On Fri, Jun 01, 2018 at 01:40:58PM +0200, Jan Kurik wrote: >> What is the availibility of TLS 1.2 vs 1.1/1.0 on the internet ? >> ie how likely is this to break the ability of users to access websites >> they care about ? > There is quite a lot, sadly. I'd say about 0.1…1% of all internet sites of my personal browsing behavior. Fedora's infrastructure works fine with TLS 1.0 and 1.1 disabled. Essential parts of the eclipse.org infrastructure is still on historic crypto levels, including its wiki, git server and marketplace. This DEFAULT policy probably will break the eclipse marketplace client in Fedora. > > I haven't found perfect data but SSLLabs' "SSL Pulse" [1] gives some hints. Applying their current metric, any server without TLS 1.2 support will be rewarded with grade C or worse. See [2] for an example. Assuming that grade-F-sites are broken beyond any repair, there's still 7.7% grade C and a few grade D pages resulting in up to 7.8% of all websites still using TLS < 1.2. Without good data on this I highly recommend not disabling TLS <1.2 by default on F29. > > [1] https://www.ssllabs.com/ssl-pulse/ > [2] https://www.ssllabs.com/ssltest/analyze.html?d=marketplace.eclipse.org > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/Z6RXR5W6KH4NODRINVJFEBIBQRX4I6HP/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/BPNMA54WJ5B7QMBTEMPDVDGOHCIHQDHN/
