[jdev] manifesto 0.4
holler at ahsoftware.de
Wed Nov 6 20:02:12 UTC 2013
Am 30.10.2013 15:58, schrieb Thijs Alkemade:
> On 30 okt. 2013, at 15:53, Tomasz Sterna <tomek at xiaoka.com> wrote:
>> Dnia 2013-10-30, śro o godzinie 01:21 +0100, Mathieu Pasquet pisze:
>>> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
>>> supported initially (doesn’t xmpp appear after SSLv3 was
>>> standardized?), but dropping SSLv3, while also a good idea, might
>>> cause issues with lots of servers
>> And discouraging TLSv1 in favor of TLSv1.2 when latest OpenSSL does not
>> even support TLSv1.1 nor v1.2 is a pie-in-the-sky.
> OpenSSL supports TLS 1.2 since 1.0.1 (and I think TLS 1.1 since the same
> version), released March 14th, 2012.
Not exactly the same, but I don't like the part
"or require cipher suites that enable forward secrecy"
for the same reason. OpenSSL 1.x isn't around that long, and there are
still many systems which do use e.g. Debian squeeze. And I assume the
state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
much better (but that's just an assumption from me).
More information about the JDev