Re: [RFC] Disable TLSv1.0 by default, but allow enabling it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alan DeKok wrote:
On Dec 12, 2018, at 3:48 PM, Andrej Shadura <andrew.shadura@xxxxxxxxxxxxxxx> wrote:
On 05/12/2018 09:52, Andrej Shadura wrote:
On 05/12/2018 00:09, Jouni Malinen wrote:
Right, so what would you recommend for me to do in the meanwhile?
Hardcode a minimal version just for wpa-supplicant to TLSv1.0? What
about ciphers? Anything else?
I would really appreciate some opinion from Jouni or other people on
this list.
   My $0.02 is to have an "allow TLSv1.0" configuration option, but have it disabled by default.  It's what we do in FreeRADIUS.

   It's arguably bad in minor ways to allow TLSv1.0.  But preventing people from getting online is likely worse.

I'll +1 this. It shits me no end that java and browsers have dropped SSLv2/3+TLSv1.0 in the name of security with no option to turn it on. I have some embedded hardware that is only accessible over VPN on a dedicated network that I have to run an old OS with old Java and old browsers to access. Sure it's a major security issue, but hell why can we not have options to force it on (even if the code is built to turn it back off after a set amount of time) for those that actually know what they are doing...?

I'll go get coffee now...

--
Michelle Sullivan
http://www.mhix.org/


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux