so many IoT devices barely support TLS, I'd hate to lose support for 1.0/1.1 already. To be honest, as long as Chrome supports it I wouldn't get rid of it. It's going to be annoying to debug issues without it.
No signature algorithm negotiation in TLS < 1.2 and the only available algorithm uses MD5-SHA1, so I say yes, nuke it from orbit, or at least disable it by default.
i think disabling them by default is a good idea, but I woulf prefer to still have a commandline option to enable them, in case i need to interact with some old embedded device or sth.
I don't know how much code ot takes in curl and libcurl to support those TLS versions. But if all of it is in the TLS libraries like OpenSSL, and curl just needs to pass a flag, I think it's worth keeping for a few more years.
Mark the old stuff as deprecated, sure. Have sensible modern defaults. But when I tried to stop using old TLS versions I was surprised, and horrified, how much legacy junk is out there that doesn’t support current versions, and the prospect of it ever getting fixed seems remote.
If they don't pay, that's fine. It's open source and frankly everything they ask for can be found in the open already. But I think they want answers from someone that speaks for curl and then darnit, I'm not going to do that for free to a huge commercial leach company.
now let's make everyone else do it! Is there some existing framework that would help maintainers and businesses negotiate support? Seems like theres a lot of friction here.
So what are you all using to interact with legacy systems then? Should I add a mitmproxy to my default configuration for my debug box now that even curl drops support for this?
I can understand having to add a "--legacy-tls" option or something, but not having TLS 1.0 and 1.1 is going to be quite annoying ngl.
iirc the big vulnerabilities in these protocols were implementation problems (including downgrade dance). BEAST was one not mitigated that usually requires gigabytes of data to maybe break the cipher. I get the wide deprecation. It’s been painful over the decades to loose support for older protocols. I’ll know my stance probably long after it’s been removed. PCI-DSS has been aggressive about removal of TLS<1.2 yet it persists.
faker
in reply to daniel:// stenberg:// • • •To be honest, as long as Chrome supports it I wouldn't get rid of it. It's going to be annoying to debug issues without it.
Billy O'Neal
in reply to daniel:// stenberg:// • • •AWOLNATION - Burn It Down
YouTubeClemens
in reply to daniel:// stenberg:// • • •Wolf480pl
in reply to daniel:// stenberg:// • • •i think disabling them by default is a good idea, but I woulf prefer to still have a commandline option to enable them, in case i need to interact with some old embedded device or sth.
I don't know how much code ot takes in curl and libcurl to support those TLS versions. But if all of it is in the TLS libraries like OpenSSL, and curl just needs to pass a flag, I think it's worth keeping for a few more years.
Peter Tribble
in reply to daniel:// stenberg:// • • •hayden aiken 🇺🇲
in reply to daniel:// stenberg:// • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •I would not, but generate a warning.
Some may need the function to diagnose old kit.
fubar666
in reply to daniel:// stenberg:// • • •Maybe both old TLS protocols can be disabled by default? And enabled only and only if developer/user enables them explicitly?
But probably the main issue is maintaining code for something depreciated just because "developer/user convenience" 🙂
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •Rocketman
in reply to daniel:// stenberg:// • • •LangerJan
in reply to daniel:// stenberg:// • • •Numerfolt
in reply to daniel:// stenberg:// • • •Mattias Karlsson (he/him)
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •Z̈oé ⛵
in reply to daniel:// stenberg:// • • •Štěpán Škorpil
in reply to daniel:// stenberg:// • • •Ben Zanin
in reply to daniel:// stenberg:// • • •⊥ᵒᵚ⁄Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
in reply to daniel:// stenberg:// • • •SuperIlu
in reply to daniel:// stenberg:// • • •FiXato
in reply to daniel:// stenberg:// • • •ah, I assume this was meant to be a reply to mastodon.social/@bagder/114833… rather than this thread?
daniel:// stenberg://
2025-07-11 07:44:17
daniel:// stenberg://
in reply to FiXato • • •wraptile
in reply to daniel:// stenberg:// • • •Arnaud Launay
in reply to daniel:// stenberg:// • • •Snark Week Global
in reply to daniel:// stenberg:// • • •Arik
in reply to daniel:// stenberg:// • • •Eloy. 🔜 eth0
in reply to Arik • • •daniel:// stenberg://
in reply to Eloy. 🔜 eth0 • • •fukawi2
in reply to daniel:// stenberg:// • • •Falko
in reply to daniel:// stenberg:// • • •Klaus Frank
in reply to daniel:// stenberg:// • • •So what are you all using to interact with legacy systems then?
Should I add a mitmproxy to my default configuration for my debug box now that even curl drops support for this?
I can understand having to add a "--legacy-tls" option or something, but not having TLS 1.0 and 1.1 is going to be quite annoying ngl.
Drew Scott Daniels
in reply to daniel:// stenberg:// • • •