Re: Deprecate TLS1.0 support in emacs

[Robert Pluim]

Ted Zlatanov <address@hidden> writes:

> On Thu, 03 Aug 2017 23:17:13 -0400 Stefan Monnier <address@hidden> wrote: 
>
> SM> I generally agree on the principle, but at the same time I wonder what
> SM> actions would make sense: there are basically 2 applicable actions, one
> SM> of which (contact the webmaster to suggest upgrading to a better
> SM> protocol) is difficult to automate.
>
> I would suggest these possible actions:
>
> * don't warn me about this site anymore and proceed (whitelist)
> * don't warn me about TLS 1.0 issues for (dropdown: 1 day, 3 days, 1 month)
> * don't warn me about this site for (dropdown: 1 day, 3 days, 1
> month)

I don't think I'd ever want this to be time-based. For me it's all
subsumed by this one:

> * proceed this once

since I'll want to revisit my decision the next time I connect,
whenever that is.

> * blacklist site as long as it uses TLS1.0; abort connection; never notify
> * blacklist TLS1.0 globally; abort all such connections; never notify

These seem a little drastic, even to me :-) You can achieve almost
this already by customizing gnutls-algorithm-priority

BTW, Debian unstable just started the process of removing support for
TLS1.0 *and* TLS1.1 from OpenSSL, I assume the equivalent GnuTLS
change is not far behind:

https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html

Regards

Robert