Hi,
On 4 Aug 2019, at 09:42, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael, hello *,
sorry for the late reply.
Lol, yeah I know why this is.
We have probably the same problem with dns.lightningwirelabs.com where Daniel contacted me yesterday that a system with Core Update 125 was unable to update its DNS record.
That is interesting as Fireinfo reports 2.28% of reporting installations running on this Core Update. Do you have more information why these might be unable to report?
Did those maybe submit an update before the 14 days deadline?
Those systems simply use an outdated version of OpenSSL and we require TLS 1.2 or better with all the bells and whistles. We might have to downgrade that to catch all fireinfo profiles.
Even OpenSSL 1.0.x is capable of TLS 1.2, and I think Core Update 125 is using that version branch. Either way, this would mean all installations are able to report, or none is. But ~ 2.3% is somewhat in between... :-|
The profiles will only go away when they have not been updated in 14 days.
Some really old systems will send via HTTP and we won’t upgrade them to HTTPS because the whole profile has of course already been transmitted.
Suggestions on what to do?
Actually, we never had reliable data in Fireinfo. Partial due to reporting being a opt-in function (and I know a lot of people leaving this disabled), partial due to outdated installations being unable to report anymore.
Needless to say, I think Fireinfo is valuable, and it should be an opt-in, anyway. But we have to bear in mind its only a fraction we talk about, and perhaps there is a chance to enumerate how large it is.
I do not see any need for technical changes here, i.e. allowing TLS 1.0 or something.
Is it the ECSDA certificate? Or that we do not support anything but an ECC key exchange? PFS?
Thanks, and best regards, Peter Müller
-Michael
On 30 Jul 2019, at 17:59, Peter Müller peter.mueller@ipfire.org wrote:
Hello *,
having a look at the Fireinfo statistics every now and then (https://fireinfo.ipfire.org/), I just noticed 41.68% of all reporting installations are running on the latest Core Update.
As far as I am concerned, that number is pleasing, but we used to have fractions of ~ 33.00% here. So, people are either installing updates faster than they did in the past (I rather doubt it) or many (heavily) outdated installations disappeared.
On the other hand, due to datacenter migration issues, we are behind the normal release schedule - thus giving admins more time to update to the current version.
Just thought you might find this interesting.
Thanks, and best regards, Peter Müller -- The road to Hades is easy to travel. -- Bion of Borysthenes
-- The road to Hades is easy to travel. -- Bion of Borysthenes