Re: sslv2 and openssl 1.0
On Sun, Apr 03, 2011 at 02:52:17AM +0200, Jérémy Lal wrote:
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
> 1) patch package to disable code that use sslv2, and explain
> why in README.Debian.
> People might complain about old sslv2 clients in case the
> packaged software is a server (telepathy-*, web servers)
> 2) continue using sslv2 until upstream drops it
> (using some unknown flag to enable it at build time)
There is no way to enable sslv2 anymore in the openssl library. I
will not re-add support for sslv2.
I doubt that there are many applications that only work with sslv2,
and if there are it's about time they start getting fixed to support
at least sslv3. Supporting tls would be even better.
Please note that any ssl connections has a way to indicate which
versions of ssl/tls they support. If they already use a library
like openssl to do ssl, and didn't force the library to only do
sslv2, there shouldn't be a problem.