This makes me anxious, but I'm not sure if my anxiety is valid. I didn't know it was okay to disable TLS 1.0/1.1 this early. Correct me if I'm wrong, but this will affect all HTTPS web requests and web serving, as well as mail delivery and receipt from Debian sid. I'm not sure I want to only be able to surf ~90% of the encrypted web[1] and I'm not sure I'm ready to drop support for Android 4.3[2] or stock Windows 7/IE (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto. I have mail in my inbox (from eg. Amazon Pay) received over TLS 1.0. As far as I understand, supporting outdated protocols like TLS 1.0 is only a problem if there is a downgrade attack that can force a server and client that speak TLS 1.2 to communicate over TLS 1.0. Otherwise, it should be fine to support TLS 1.0 to speak to older clients, while giving newer clients the option to speak over TLS 1.2.
Hopefully this announcement is correct in the assumption that support for TLS 1.2 will be high enough when Buster is released.
I'm pretty certain you're being sarcastic, but on Debian, most of the users stick to the "stock", packaged ones, instead of building their own. Indeed you can build nginx with custom ssl, but most of the Debian users won't fiddle with this.
Browsing shouldn't be affected as it doesn't use OpenSSL. However, I share your concerns. The target is the next stable (two years), but many of us are running unstable or testing.
Browsers use TLS, but I don't think many of them use OpenSSL's implementation. Firefox uses NSS, and Chrome uses BoringSSL (which is related but not affected by this change).
Hopefully this announcement is correct in the assumption that support for TLS 1.2 will be high enough when Buster is released.
[1]: https://www.ssllabs.com/ssl-pulse/ [2]: https://www.ssllabs.com/ssltest/clients.html