From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 24599 invoked from network); 2 Jun 2021 09:28:01 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 2 Jun 2021 09:28:01 -0000 Received: from mimir.eigenstate.org ([206.124.132.107]) by 1ess; Tue Jun 1 20:39:10 -0400 2021 Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id f5cece30 (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO); Tue, 1 Jun 2021 17:39:00 -0700 (PDT) Message-ID: To: 9front@9front.org, ori@eigenstate.org Date: Tue, 01 Jun 2021 17:38:58 -0700 From: ori@eigenstate.org In-Reply-To: <0322caee1c31f2fc@orthanc.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: base out-scaling method-oriented metadata-scale layer Subject: Re: [9front] [patch] devtls updates Reply-To: 9front@9front.org Precedence: bulk Quoth Lyndon Nerenberg (VE7TFX/VE6BBM) : > > Do you have specifics? I'd like to at least > > try to remove the blatantly broken stuff. > > Just off the top of my head, SSH needs aes128-cbc in order to talk > to our HP 5500s. As of OpenBSD 6.7 or so I have to explicitly > enable that on the client side, otherwise it won't negotiate. Our > budget 3Com switches in the office are in the same boat (I can't > connect to them from home so I can't give you a model number > off-hand). The latter also suffer from ancient TLS implementations > that require frobbing of hashes and ciphers, but again, I can't get > to them from here to look up the specifics. > > In a nutshell I would preserve the functionality needed to wind back > to TLS 1.0, but disable negotiating anything that isn't required > for >= TLS 1.2 unless explicitly asked for by the user. > > --lyndon ssh doesn't use devssl or devtls, so that's not really relevant to this patch set. For tls, I'd be ok with keeping specific obsolete ciphers around if there are devices that need it, but rc4 is well past deprecated into kill it with fire territory: https://datatracker.ietf.org/doc/html/rfc7465 but for that, we need to decide what we do with cpu, exportfs, and oexportfs.