OpenSSH announces DSA-removal timeline

Posted Jan 14, 2024 20:52 UTC (Sun) by zdzichu (subscriber, #17118)
In reply to: OpenSSH announces DSA-removal timeline by pizza
Parent article: OpenSSH announces DSA-removal timeline

Ah yes. I've bought a TP-Link TL-SG2216 switch with 5 year warranty for home. Managed – over HTTPS and SSH. During the last year of the warranty, I've noticed it only supported TLS1.0 with laughable ciphers:

Preferred TLSv1.0  128 bits  RC4-SHA                      
Accepted  TLSv1.0  128 bits  RC4-MD5                      
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  56 bits   TLS_RSA_WITH_DES_CBC_SHA

I've noticed because web browsers disabled TLS < 1.2 some time ago (and this is good). I've opened a support issue with TP-Link, after all the feature (which was a selling point to me) stopped working. After a longish email thread explaining that I would like the feature to work again(*) my issue got closed, because: 1) my 5 year warranty just ended; 2) I should have opened a ticket with the reseller, not TP-Link themselves. :(

* - getting the HTTPS fixed would require TP-Link to implement TLS 1.2 in their firmware. Which may be impossible, but was not business-sensible for sure. They discontinued the switch in the meantime, despite having units covered by 5 year warranty in the field.

Oh, and the second management option, SSH? Since the beginning I had to use this invocation:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=aes256-cbc -oHostKeyAlgorithms=+ssh-dss …

Network hardware vendors are the worst.

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 10:19 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

> I've opened a support issue with TP-Link, after all the feature (which was a selling point to me) stopped working. After a longish email thread explaining that I would like the feature to work again(*) my issue got closed, because: 1) my 5 year warranty just ended; 2) I should have opened a ticket with the reseller, not TP-Link themselves. :(

Okay, this is UK rules, but under them, point 2 is valid. HOWEVER. You now just raise the issue with the reseller - the fact that your five-year warranty has expired is irrelevant. The warranty covers faults THAT EXISTED in the warranty period. If you claim outside the period, then you have the burden of proving they were pre-existing faults, but "the warranty has expired" on its own is not sufficient to turn down a warranty claim. You've got a dead-easy proof - you raised the issue with TP-Link during the warranty period ...

Cheers,
Wol

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 11:47 UTC (Mon) by zdzichu (subscriber, #17118) [Link] (1 responses)

That's interesting, I may try that. Thanks!

OpenSSH announces DSA-removal timeline

Posted Jan 15, 2024 16:46 UTC (Mon) by Wol (subscriber, #4433) [Link]

Not knowing where you're based, so if you're elsewhere in Europe don't assume the rules are the same.

For Directives, the national implementation must implement the directive *as a minimum*. UK rules are noticeably different from the directive, but because they are much stricter that's not a problem. However, I would have thought this would be covered by the directive.

Cheers,
Wol

OpenSSH announces DSA-removal timeline

Posted Jan 18, 2024 23:14 UTC (Thu) by rknight (subscriber, #26792) [Link]

> Ah yes. I've bought a TP-Link TL-SG2216 switch with 5 year warranty for home. Managed – over HTTPS and SSH. During the last year of the warranty, I've noticed it only supported TLS1.0 with laughable ciphers:

Not sure what family the TL-SG2216 is in, but at least a couple of TP-Link switches have some support from OpenWrt now and therefore have support for modern HTTPS and SSH. See https://openwrt.org/docs/techref/targets/realtek for a current list of supported switches. Note that some enterprise features of the switch are not yet supported, but basic switching and PoE support are there.