1. 3

    While I do agree that Docker builds could be a lot better, I would say this scenario is very much an edge case? Switching off old TLS versions or ciphers can arguably be considered a security upgrade.

    I’d consider this an issue with the LDAP server. Apparently, browser vendors are stopping TLS 1.1 early 2020, so I would expect more issues to start cropping up with the server if it’s not upgraded. And OpenSSL has had support for TLS 1.2 since 2012, so that seems like a pretty large window,

    1. 5

      Scope it larger: The scenario is more usefully seen as “I thought I had pinned my dependencies well enough, but it turns out I was still getting upgraded to newer major versions”. That’s much less of an edge case.

      If you wanted to do root cause analysis, then yes, you’d also want to ask “why did the LDAP server only support TLS 1.1” (and some other questions as well.) Both contributed to the problem, and both are also broadly applicable.

      1. 1

        As the author of the article, I agree with saturn :) I thought about writing it more general, but decided for the more anecdotal style.