9front - general discussion about 9front
 help / color / mirror / Atom feed
From: ori@eigenstate.org
To: 9front@9front.org, ori@eigenstate.org
Subject: Re: [9front] [patch] devtls updates
Date: Tue, 01 Jun 2021 17:38:58 -0700	[thread overview]
Message-ID: <E88E56B2AA634413D52129EC46917209@eigenstate.org> (raw)
In-Reply-To: <0322caee1c31f2fc@orthanc.ca>

Quoth Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@orthanc.ca>:
> > Do you have specifics? I'd like to at least
> > try to remove the blatantly broken stuff.
> 
> Just off the top of my head, SSH needs aes128-cbc in order to talk
> to our HP 5500s.  As of OpenBSD 6.7 or so I have to explicitly
> enable that on the client side, otherwise it won't negotiate.  Our
> budget 3Com switches in the office are in the same boat (I can't
> connect to them from home so I can't give you a model number
> off-hand).  The latter also suffer from ancient TLS implementations
> that require frobbing of hashes and ciphers, but again, I can't get
> to them from here to look up the specifics.
> 
> In a nutshell I would preserve the functionality needed to wind back
> to TLS 1.0, but disable negotiating anything that isn't required
> for >= TLS 1.2 unless explicitly asked for by the user.
> 
> --lyndon

ssh doesn't use devssl or devtls, so that's
not really relevant to this patch set.

For tls, I'd be ok with keeping specific
obsolete ciphers around if there are
devices that need it, but rc4 is well
past deprecated into kill it with fire
territory:

	https://datatracker.ietf.org/doc/html/rfc7465

but for that, we need to decide what we
do with cpu, exportfs, and oexportfs.


  reply	other threads:[~2021-06-02  9:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-30 15:05 fulton
2021-05-31  0:03 ` Lyndon Nerenberg (VE7TFX/VE6BBM)
2021-05-31 15:37   ` ori
2021-05-31 22:46     ` Lyndon Nerenberg (VE7TFX/VE6BBM)
2021-06-02  0:38       ` ori [this message]
2021-06-02  4:30         ` Lyndon Nerenberg (VE7TFX/VE6BBM)
2021-05-31 11:45 ` cinap_lenrek
2021-05-31 16:16   ` fulton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E88E56B2AA634413D52129EC46917209@eigenstate.org \
    --to=ori@eigenstate.org \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).