From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=DATE_IN_PAST_12_24 autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 31852 invoked from network); 31 May 2021 14:08:36 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 31 May 2021 14:08:36 -0000 Received: from orthanc.ca ([208.79.93.154]) by 1ess; Sun May 30 20:03:28 -0400 2021 Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id 30f871ef; Sun, 30 May 2021 17:03:27 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: 9front@9front.org, fulton@fulton.software In-reply-to: References: Comments: In-reply-to fulton@fulton.software message dated "Sun, 30 May 2021 08:05:31 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <5118.1622419407.1@orthanc.ca> Date: Sun, 30 May 2021 17:03:27 -0700 Message-ID: <0322c8c47de30866@orthanc.ca> List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: flexible session module-aware locator Subject: Re: [9front] [patch] devtls updates Reply-To: 9front@9front.org Precedence: bulk There's a lot of old hardware out there that only speaks these obsolete methods and which will never see an upgrade. I have a half-dozen switches in use at home that fit this category. Rather than completely gut this support, it would be better to turn it off in the default configuration, but leave a switch that can be used to enable the obsolete cruft only when required. This is how OpenBSD's SSH handles obsolate ciphers. Disabled by default, but I can request them when needed. And you might be surprised at how much recent vintage network gear in our data centre needs those old ciphers :-( Most SSL libraries work the same way, albeit often with bad default settings and very awkward configuration schemes. --lyndon