From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 28663 invoked from network); 31 May 2021 23:32:31 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 31 May 2021 23:32:31 -0000 Received: from orthanc.ca ([208.79.93.154]) by 1ess; Mon May 31 19:13:19 -0400 2021 Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id c5f600c6; Mon, 31 May 2021 15:46:38 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: 9front@9front.org, ori@eigenstate.org In-reply-to: <46CB8AE4EC1E0CAA7422ED81FB575A3C@eigenstate.org> References: <46CB8AE4EC1E0CAA7422ED81FB575A3C@eigenstate.org> Comments: In-reply-to ori@eigenstate.org message dated "Mon, 31 May 2021 08:37:56 -0700." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <14685.1622501198.1@orthanc.ca> Date: Mon, 31 May 2021 15:46:38 -0700 Message-ID: <0322caee1c31f2fc@orthanc.ca> List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: non-blocking module-based database Subject: Re: [9front] [patch] devtls updates Reply-To: 9front@9front.org Precedence: bulk > Do you have specifics? I'd like to at least > try to remove the blatantly broken stuff. Just off the top of my head, SSH needs aes128-cbc in order to talk to our HP 5500s. As of OpenBSD 6.7 or so I have to explicitly enable that on the client side, otherwise it won't negotiate. Our budget 3Com switches in the office are in the same boat (I can't connect to them from home so I can't give you a model number off-hand). The latter also suffer from ancient TLS implementations that require frobbing of hashes and ciphers, but again, I can't get to them from here to look up the specifics. In a nutshell I would preserve the functionality needed to wind back to TLS 1.0, but disable negotiating anything that isn't required for >= TLS 1.2 unless explicitly asked for by the user. --lyndon