[Haskell-cafe] heads-up: tls v2.0.0
Kazu Yamamoto (=?iso-2022-jp?B?GyRCOzNLXE9CSScbKEI=?=)
kazu at iij.ad.jp
Sun Jan 21 00:09:45 UTC 2024
Hi,
I hit upon a solution for Viktor.
TLS 1.0/1.1 code is kept and enabled via a special parameter.
Old cipher suites including CBC are provided by
"tls-insecure" or something.
I'm surprised because Jo already proposed the same solution. :-)
So, I would support his proposal.
Viktor, could you volunteer to maintain the "tls-deprecated" package?
--Kazu
> Thanks for the explanations; I now have a better understanding of the
> issues at hand, and I hope this has helped others as well.
>
> My personal take would be to move TLS 1.0/1 out into a separate
> library, say, tls-deprecated.
> One, this clearly marks the mechanism as something not to be used
> unless you really need it.
> Second, people who just use TLS will stick with the standard tls
> library, and won't get old TLS activated by some funny accident (such
> as misconfiguration); after all, code that isn't there can't be
> involved in some security shenanigans.
>
> Just my 2 cents, trying to reconcile legacy needs and
> security-by-design aspects as far as possible.
> I hope it helps somebody.
>
> Regards,
> Jo
> _______________________________________________
> Haskell-Cafe mailing list
> To (un)subscribe, modify options or view archives go to:
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
> Only members subscribed via the mailman list are allowed to post.
More information about the Haskell-Cafe
mailing list