[Info-vax] OpenSSL CSWS-2.2-1

[Simon Clubley]

On 2019-06-05, Phillip Helbig (undress to reply) <helbig at asclothestro.multivax.de> wrote:
> In article <qd7kb1$95k$1 at dont-email.me>, Dave Froble
><davef at tsoft-inc.com> writes: 
>
>> You're missing the point.  If a significant part of some companies 
>> business is with a trading partner who will not upgrade their SSL 
>> capabilities, and you have no way to get them to change, then, you do 
>> what you have to do to stay in business.
>
> Indeed.  While I understand the purpose of both encryption and 
> authentication, many SSL implementations will refuse to connect if the 
> offered ciphers are deemed to be insecure, rather than having an option 
> (more common in web browsers) saying: "there is a problem, but if you 
> know what you are doing, you can continue".  Without that option, SSL is 
> a non-starter if the other side is "too old", which is why some people 
> still run telnet.  Even if the cypher is not up to date, it is still 
> better than no encryption, and at least there is authentication.
>

SSL has nothing to do with interactive command line communications;
you are thinking of SSH.

As for SSL, people go for more secure options because those are now
the required industry standards. That's why TLS 1.2 is now so commonly
required (for example) and why you may not be allowed to fall back to
TLS 1.0 (for example) to talk to that service/website.

Similar comments apply to SSH however. If an organisation is upgrading
their SSH requirements then they are unlikely to offer telnet as an
option because that would defeat the point of upgrading SSH.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world