From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Mon, 07 Aug 2017 11:54:22 +0200 Message-ID: <87fud3og8h.fsf@gmail.com> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> <87fue17mo5.fsf@gmail.com> <87tw2hvhob.fsf@mouse> <8760ex63hi.fsf@gmail.com> <87fue1v5lr.fsf@mouse> <87shi0tqh3.fsf@gmail.com> <87d18fwl66.fsf@gmail.com> <87tw1rihu0.fsf@mouse> <4037dc81-4245-6925-842a-2c84a5ba996d@cs.ucla.edu> <87pocfibky.fsf@mouse> <87d18cbg66.fsf@lifelogs.com> <8737978oo2.fsf@lifelogs.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1502120432 14435 195.159.176.226 (7 Aug 2017 15:40:32 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 7 Aug 2017 15:40:32 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Aug 07 17:40:17 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dek8e-000314-Nl for ged-emacs-devel@m.gmane.org; Mon, 07 Aug 2017 17:40:16 +0200 Original-Received: from localhost ([::1]:38009 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dek8k-000552-Qi for ged-emacs-devel@m.gmane.org; Mon, 07 Aug 2017 11:40:22 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37371) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1deek6-0005lz-1N for emacs-devel@gnu.org; Mon, 07 Aug 2017 05:54:35 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1deek4-0004ae-Pm for emacs-devel@gnu.org; Mon, 07 Aug 2017 05:54:34 -0400 Original-Received: from mail-wr0-x236.google.com ([2a00:1450:400c:c0c::236]:32812) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1deek4-0004aD-Ia for emacs-devel@gnu.org; Mon, 07 Aug 2017 05:54:32 -0400 Original-Received: by mail-wr0-x236.google.com with SMTP id v105so37284976wrb.0 for ; Mon, 07 Aug 2017 02:54:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:references:gmane-reply-to-list:date:in-reply-to :message-id:user-agent:mime-version; bh=Axc7PDFVz6Cf7228LaxNT3piWMJzrv30PPwFc6o3Jjo=; b=iSIYQFN3ab8+4R7F8+Z0Lwvr60fim9Udhc/KuCZ/DnfPrvu6ixAMcEko5KGgEhdc8L FKqnobiwVR+YMRT9B2iXQTZEiSwGey1QTEw+rY0Y4p0uUGBXftNWOfMvcUxUqdq6Ve4H 8md26m5no2sy32lo/iJUCTD7nhUOUkQM4ZvNQGx8KqfwJml8fH21ndMaG2Ax7Lz0deBG th5KohD9elfVvLiym1RKLJNElebgvrE+/ksg6YMN1uRvzqBkYQw7rRpxho48kJK/EAQi xySLpw+ZBJZ4AeZHpm3OHKtIeORB6DWxILFGgSJjhYGkDxGR6GuiGmdHPVMghm3+0PtY 5yaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:references:gmane-reply-to-list :date:in-reply-to:message-id:user-agent:mime-version; bh=Axc7PDFVz6Cf7228LaxNT3piWMJzrv30PPwFc6o3Jjo=; b=jqKhkwaq0M7/auG1MLm4UXXJWYoAKDLX/k4lBTmnwtwXubObEgr/jctHUDmITOoDYQ s3iMm+kSXC0LF+J3gSSGnFH6qm1TEncNjgkO15mQO1BDiMRlBjfzsC+9GzToSBjomDEJ vaAxpO0/WoaZPWP20afAuPHw8k0O2RKh3Sx2EiEMWVDV+DchuCAqI5dw2f+kw/MMoflM RLtlPEP1ADDNU1FG1iOuMQZDhnW9ve81yCoJenedAH9XRtDSOd4tK3QagYN1vVmVra4B tbfxpktpKeHk+BaQwzRyMf1yy+hKNhw05dsU3uWsTCu5QJM7ex90CZBFe0tZC4ltQDvC KpXw== X-Gm-Message-State: AIVw1117FO+dmD6J6D+Y7tjCCmYeu8amyHoKlEwFCoslG1/38KSJv78O NDQc/9xKvXj1GYCkxmw= X-Received: by 10.223.139.147 with SMTP id o19mr7251527wra.207.1502099669662; Mon, 07 Aug 2017 02:54:29 -0700 (PDT) Original-Received: from rpluim-ubuntu ([2a01:e34:ecfc:a090:9d4e:e86e:c2f:6a21]) by smtp.gmail.com with ESMTPSA id w134sm4328844wmd.7.2017.08.07.02.54.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Aug 2017 02:54:28 -0700 (PDT) Gmane-Reply-To-List: yes In-Reply-To: <8737978oo2.fsf@lifelogs.com> (Ted Zlatanov's message of "Fri, 04 Aug 2017 09:09:49 -0400") X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::236 X-Mailman-Approved-At: Mon, 07 Aug 2017 11:39:38 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:217359 Archived-At: Ted Zlatanov writes: > On Thu, 03 Aug 2017 23:17:13 -0400 Stefan Monnier wrote: > > SM> I generally agree on the principle, but at the same time I wonder what > SM> actions would make sense: there are basically 2 applicable actions, one > SM> of which (contact the webmaster to suggest upgrading to a better > SM> protocol) is difficult to automate. > > I would suggest these possible actions: > > * don't warn me about this site anymore and proceed (whitelist) > * don't warn me about TLS 1.0 issues for (dropdown: 1 day, 3 days, 1 month) > * don't warn me about this site for (dropdown: 1 day, 3 days, 1 > month) I don't think I'd ever want this to be time-based. For me it's all subsumed by this one: > * proceed this once since I'll want to revisit my decision the next time I connect, whenever that is. > * blacklist site as long as it uses TLS1.0; abort connection; never notify > * blacklist TLS1.0 globally; abort all such connections; never notify These seem a little drastic, even to me :-) You can achieve almost this already by customizing gnutls-algorithm-priority BTW, Debian unstable just started the process of removing support for TLS1.0 *and* TLS1.1 from OpenSSL, I assume the equivalent GnuTLS change is not far behind: https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html Regards Robert