It's not ideal if one obsolete website forces downgrading the security potentially for all the connections. I hope 5) is addressing that.That's something apps and only apps can handle.
Well, but if the system policy says that TLS1.0 is banned, the
only way for the app to downgrade would be if it had its own TLS
stack, right?
I do realize that the current policy mechanism is not designed
for narrow deviations, I am just pointing out that it's not ideal
because in practice people downgrade because they need narrow
deviations for specific connections, and as you well know,
relaxing the rules for all connections opens the door to downgrade
attacks even on the connections that are capable of TLS2.0.
I am asking if there is another way, for instance by having a
per-interface policies, and setting up the relaxed rules for an
interface that routes traffic to this one deficient remote
endpoint.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
