William Bradford Clark
William Bradford Clark
Requesting reviews from @ehelms for general protocol wizardry and from @hao-yu and @pmoravec for familiarity with the related downstream bug
> Dunno about impact on upgrades (i.e. does db migration make sense?), and apart of the typo it sounds great! That's a good question. I tested this by setting a...
I pushed an update which fixes the typos.
> What were the issues? Are there are other reasons not to defer to 1.3 as the default? There is some discussion on it here: https://github.com/theforeman/foreman-infra/pull/2001 The differences between TLSv1.2...
Thanks @ekohl . Let me make sure I'm following: you are proposing that in the future once https://github.com/ruby/openssl/pull/710 is available in our ruby, we could remove these settings entirely and...
> I'd argue for removal without replacement now, even if my PR (which is now merged) isn't released yet. Today's setting limits TLS version but in a way that the...
> How many users actually want this feature? It was introduced for compatibility. Since we moved to EL8 the SSLv3 option doesn't do anything (since OpenSSL 1.1.0+ is compiled without...
> https://bugzilla.redhat.com/show_bug.cgi?id=2216445 is from @pmoravec and the problem there is that the current default is _less_ secure than if we dropped it (and can cause problems). I'll let him answer...
> But what do you win with it? System wide crypto policies are probably better for compliance. For example, [NIST SP 800-52 Rev. 2](https://csrc.nist.gov/pubs/sp/800/52/r2/final) mandates TLS 1.2 as the minimum...
N.B. I split this portion of my response into a separate comment, to emphasize that I see these details as being less urgent than the primary points I made above....