OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

PCI Compliance

[darkain]

As someone who had to deal with all the bullshit of PCI Compliance, let me just tell ya. This is an absolute MUST. The current PCI spec strictly states that only TLS 1.2 is supported due to insecurities found in 1.0/1.1. Granted, the PCI group is also overly cautious, but it is good to see more and more software force this spec to make PCI compliance easier. Simply having 1.0/1.1 enabled on anything public facing will fail an audit.

Debian Unstable is a misnomer!

People who don't know Debian don't realize that the name "Unstable" is actually a misnomer.

The idea of "stability" and "robustness" has been very different in the Debian world. When it comes to Debian Stable, it's stable in a way that's unheard of for pretty much every other Linux distro out there. These releases have traditionally been as solid as is realistically possible. Most other Linux distros have nothing comparable.

Debian Testing is also extremely stable, when compared to other Linux distros. The best comparison would be to a late-stage bugfix release of a mature Linux distro version.

Debian Unstable, despite its name, is about the level of quality we'd expect from most releases of most other Linux distros. It's only "unstable" when compared to the extreme stability of Debian Stable releases. Otherwise it has traditionally been quite stable.

Remember that Ubuntu's packages are based off of Debian Unstable packages.

Now, things have been changing within the Debian world. Since the introduction of systemd some time ago, things have been going to hell. Quality is down, and user trust is dwindling. Many Debian users have started to move their most important systems to FreeBSD or OpenBSD, which are far more comparable to pre-systemd Debian releases in terms of offering extremely high levels of stability and quality.

But even after the systemd disaster, Debian Unstable is still more stable than even the stable releases of most other Linux distros. It does help Debian's case that its main competitors have also switched to systemd, so their stability and reliability has suffered, as well.

Anyway, when you hear the term "unstable" applied to Debian, keep in mind that we're measuring on a very different scale than is used for most other Linux distros.

Re:How many packages does it actually impact?

[Mousit]

apache, postfix and nginx come to mind as common packages that use openssl.

Good point. I don't run web services on that server so I didn't even think to look at those packages. That'd be a pretty big deal if the major web servers in Debian need it.

I did do some digging around after making that earlier post. I can definitely see from the client end it'll really make an impact for sure. In particular it's rather frightening how many SMTP servers out there don't do TLS 1.2 at all, so good luck being an MTA talking to other servers. Even Apple and Google/Gmail SMTP servers only talk TLS 1.0. No 1.1 or 1.2 support. Those are two companies I'd have figured would be at the forefront of such support. Amusingly their IMAP servers support 1.2 just fine. So, with those two, you can GET your mail but you can't SEND your mail in a 1.2-only environment. :)