[nelgaard]

plus these individual devices will live for a long time.

I recently had to setup a non-encrypted website because I have a few old devices that can no longer do HTTPS.

IPv4 on local networks will probably exist for a very long time.

[dspillett]

> I recently had to setup a non-encrypted website because I have a few old devices that can no longer do HTTPS.

That sounds like they haven't been updated for TLS>1.1 – if that is the case then rather than going all the way down the HTTP you could enable TLS1.1 (and maybe 1.0). It is open to POODLE/BEAST/others that way, but still have some protection and the site's configuration differs less from the rest of your infrastructure.

Unless the site is completely internal only of course, in which case just sticking with HTTP may be less faf.

[tsimionescu]

Is there any way to get a certificate that these old devices would trust and that would work over TLS < 1.2?

[nelgaard]

No, that is the problem. They worked with less and less websites until there were none left. I needed to install some packages, which I could just put on my own server.

And I have an old Blackberry Bold that now show current electricity prices, so I know when to starte my washing machine. That can also run on own webserver.

https://gitlab.com/nelgaard/elpriser

[toast0]

Technically the certificate issues are separate from the protocol versioning. It's just that clients that don't support TLS 1.2 often also don't support sha2 certificates or may not have a path to validate certificates from currently available CAs (although you can usually push through that; no protocol support and no cert signature support is not a user bypass prompt)

As a side note, barely anything supports TLS 1.1 but not TLS 1.2