[Users] TLS hardening patch

Ricardo Mones ricardo at mones.org
Tue Dec 13 12:32:37 UTC 2022


Hi Jeffrey,

On Mon, 12 Dec 2022 13:43:32 -0500
Jeffrey Walton <noloader at gmail.com> wrote:

> On Mon, Dec 12, 2022 at 1:37 PM Paul <paul at claws-mail.org> wrote:
> >
> > On Mon, 12 Dec 2022 12:24:20 -0500
> > Jeffrey Walton <noloader at gmail.com> wrote:
> >  
> > > If the project wishes to harden the use of TLS, then I'll
> > > complete the work and submit a patch per
> > > www.claws-mail.org/devel.php .
> > >
> > > If the project does not want a patch to harden use of TLS, then I
> > > won't spend time on it.  
> >
> > In that case, it's an odd question because, of course, more
> > security is always good. Could there be any project not interested
> > in that?!?  
> 
> It's been my experience that some project maintainers are
> argumentative and contrarian. These types of folks will find a reason
> to reject a patch, even if the patch is generally helpful. I find it
> is always best to ask before investing the time.

Without the intention of being neither the former nor the latter,
and assuming your patch will follow the style showed in the example,
will be possible for those curl calls to negotiate a lower level
with (old) servers or will be those servers effectively banned to
connect if they don't support TLS 1.2 level?

From reading the curl documentation it seems the case is the second
though I'm not sure. And, if that's the case, I think some degree of
configuration may be desirable in order to allow people to interact
with those servers, which are probably not under they control.

best regards,
-- 
  Ricardo Mones 
  ~
  Don't take the name of root in vain.          /usr/src/linux/README

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20221213/ebcd4035/attachment.sig>


More information about the Users mailing list