On Wed, Jul 25, 2018, 1:03 PM Steve Langasek <steve.langasek at ubuntu.com> wrote: > > Generally speaking, packages which need to be updated in order to remain > > compatible with changes to protocols on the Internet at large (such as in > this case, changes to the baseline TLS version that clients must negotiate > in order to be considered secure) qualify for SRU. If this is going to > enable compatibility with some server endpoints that have moved on for > security reasons (such as the Intel VPN servers), but break compatibility > with other still-extant server endpoints that don't support current security > protocols (such as the F5 firewalls, if they're still out there and have > this bug), we would want to think deeply about making such a choice given > that affected users also have the option to upgrade to newer versions of > Ubuntu without impacting users who rely on the less-secure-but-stable > support for pre-TLS1.1 endpoints. It's useful to consider the total set of possible consequences of Nikos's proposed fix, to change "-VERS-TLS-ALL:+VERS-TLS1.0" to "-VERS-SSL3.0". This would have the following effects on Ubuntu 14.04's openconnect: 1) Good: Fixes the incompatibility reported here, allowing it to connect to gateways that require TLS1.1 or TLS1.2. 2) Neutral: No effect on ancient gateways that only support SSLv3 (insecure, already locked out). 3) Neutral: No effect on ancient gateways that only support TLS1.0 (still possible to connect). 4) Bad: May prevent connections to TLS-version-intolerant (aka "broken") servers and middleboxes which support TLS1.0 but fail to correctly negotiate down to it when presented with TLS1.1/1.2 ClientHellos. The upside (1) is pretty obvious and clear, because lots of newer gateways simply refuse TLS1.0 these days. The downside (4) is hard to estimate? I don't think there are too many TLS1.0-only version-intolerant middleboxes out there these days because they would be breaking pretty much all the modern clients with the misfortune to go through them. And I don't think I've ever seen a report on the mailing list of a TLS1.0-only version-intolerant Cisco ASA. Dan