Comment 4 for bug 1905790

> What if, for example, someone has an LDAP server that only supports
> older TLS, and switching to OpenSSL causes their sssd LDAP TLS client to
> require newer TLS because of our stronger defaults? What I describe
> would result in a regression for that user until they reconfigure
> things. Is this a realistic possibility?

First, are we sure that such scenario would currently work in current NSS?

I can't say whether that's a realistic scenario, we would need metrics, but I also think that if you're forcing a more secure behavior it's not to me a regression, it's making people aware that they're misbehaving.

As we do SRU a browser version that no longer accepts a deprecated crypto mechanisms, potentially causing an user regression, I don't see a problem in doing it other tools.

It may require an admin action? Yes, but that's acceptable IMHO when the system in use is known to be not secure.
And IMHO we're responsible for that too, not just accept people to use unsafe methods by default.

> I think you're thinking of functional regressions here (ie. introducing
> actual bugs), whereas I'm more bothered about regressing edge case user
> configurations (eg. introducing a change that requires users to change
> their local configurations to avoid a behavioural regression).

I'm thinking at those too (and especially in my scenario), but given there's right now no known actual and reported regression (not just in Ubuntu, but everywhere in the web I've searched for), so while there might be indeed edge cases until I don't have proofs of them I still thinking that the proposed change can only cause an improvement.

--

BTW, unrelated to this, but this request mostly is triggered by bug #1865226, and to support it reliably we need to use open-ssl based p11_child.