On Wed, 6 Jun 2018, Nikos Mavrogiannopoulos wrote:
I think the debate here is whether fedora (and in general operating systems) can afford to be stricter than the browsers. As an OS our attack surface is much larger than the browser setup, and thus it makes sense (to me), to be more careful.
Your legacy interaction will also be much larger. Like connecting to your home wifi router's webgui.
Can we afford to break a significant part of our users? Of course not, but I think that this change is eventually happening, especially with TLS1.3 expected to be deployed widely, and it seems to me that we only wait to see who will do the first step.
I don't think TLS 1.3 will see a wide deployment immediately. Sure, the famous top websites and top browsers will, but enterprises will not. And especially those with any kind of loggin/auditing requirements cannot even allow TLS 1.3 with ephemeral DH on their network. I would personally first try and disable TLS 1.0 in f29 and see how much problems that generates. Then in f30 or f31 disable TLS 1.1. But I suspect fedora itself not to be the problem. The real problems will hit RHEL/CentOS in the enterprise deployments. So even with a success in fedora, I would be very careful with drawing any conclusions for enterprise use. Paul _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/HF6BSBVUYOW5SQZPQ6X3JQHEFVA7N7I7/
