TLS 1.0 and TLS 1.1 protocols removal

If they are still running XP, they need to either upgrade or run the required software in VirtualBox (or an equivalent).

Although there may be a cost for those holdouts, they are in the exceptional minority and I do not believe that this exceptional minority should degrade security for the rest of us as they will be the weakest link in the chain.

1 Like

I tend to agree, but others may have a significant number of XP users. That’s why it’s configurable, and admins can make their own decisions.

If you are stuck to XP for money issue, please migrate to ubuntu LTS or kick the ass of your system administrator

I can see two reasons why someone might be stuck on XP: (1) legacy software that just won’t run on anything newer, or (2) inertia. In the latter case, yes, “kick the ass of your system administrator”; XP is almost 20 years old and has been EOL for 6 years (which is a pretty good run for any OS). In the former case, probably, take the system off your network completely.

And for the former, in most scenarios its also a case of “kick the ass of your system administrator”.

There should be exceptionally few use cases where certain companies (note I say companies and not individuals) need to run legacy software due to the drivers for certain hardware that don’t have drivers for the newer operating systems and these use cases should be very few and far between.

Outside of those very very narrow use cases, there is absolutely no excuse.

I know in industry with machine tools you need sometimes old version of OS much older than XP if you want to program them, but in any cases these operating systems are connected to internet. Either it is an old laptop that you take much care because you cannot find another one, or you have virtualbox clone that you share among the technician guys

I am still able to program some tools with dos, even XP is too modern for this, but I speak about smoke detectors of 1995, AD 1000

The new policy’s looking pretty good:

But there are a number of available cipher suites reported as weak:


Trying to active the new policy gives an error

Der folgende Befehl ist gescheitert:

However all other selections give the same error.

When I try to execute /usr/libexec/nethserver/api/system-tls-policy/update in a terminal, nothing happens. I just hangs without any io.

After a reboot is works fine. It seems to be some semaphore exhaustion problem.

The new policy is really nice, however it contains several weak ciphers. An additional policy which removes ciphers flagged weak from would be nice.

1 Like