[prev in list] [next in list] [prev in thread] [next in thread]
List: openconnect-devel
Subject: Re: Trying to build openconnect 8.20 on ubuntu 20
From: Dimitri Papadopoulos Orfanos <dimitri.papadopoulos () cea ! fr>
Date: 2022-03-18 10:16:53
Message-ID: f62be74e-3abd-a03d-b13f-6d3f12f554d7 () cea ! fr
[Download RAW message or body]
While I agree on pushing warnings to client end users to help general
awareness about antiquated protocols, end users are usually not in a
position to do anything about obsolete corporate VPN gateways.
As long as proprietary clients support some antiquated protocols, it's
hard not to expect the same from OpenConnect.
If you think about it, it's a whole different issue on the **client**
side and the **server** side. Perhaps it would make sense to have
distinct TLS stacks/settings for services and clients, trying hard to
minimize attacks vectors on services, and trying to preserve usability
of clients.
Best Regards,
Dimitri
Le 18/03/2022 à 10:43, Nikos Mavrogiannopoulos a écrit :
> I find that a futile goal as it goals against the consistency and minimization of \
> attack surface goal that these policies are based on. Eventually these protocols \
> will completely be removed from the OS libraries. It would be better to focus on \
> giving good instructions to the user and warnings that these protocols will not be \
> available for long, to help towards a transition to the newer generation of \
> protocols rather than focus on keeping the old beasts alive.
> regards,
> Nikos
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic