19 Jan
2024
19 Jan
'24
10:43 p.m.
Thanks for the explanations; I now have a better understanding of the issues at hand, and I hope this has helped others as well. My personal take would be to move TLS 1.0/1 out into a separate library, say, tls-deprecated. One, this clearly marks the mechanism as something not to be used unless you really need it. Second, people who just use TLS will stick with the standard tls library, and won't get old TLS activated by some funny accident (such as misconfiguration); after all, code that isn't there can't be involved in some security shenanigans. Just my 2 cents, trying to reconcile legacy needs and security-by-design aspects as far as possible. I hope it helps somebody. Regards, Jo