[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

sslv2 and openssl 1.0


openssl 1.0.0-d is in unstable and by default disables
sslv2 methods, so what's the correct decision to make, regarding
packages that use ssl as client or server :

1) patch package to disable code that use sslv2, and explain
   why in README.Debian.
   People might complain about old sslv2 clients in case the
   packaged software is a server (telepathy-*, web servers)

2) continue using sslv2 until upstream drops it
   (using some unknown flag to enable it at build time)

In the case that concerns me, it's easy to do 1), but i believe
it's up to the users to choose, so i'd rather do 2).
However, i know how to disable it with -DOPENSSL_NO_SSL2,
but not how to enable it.

Jérémy Lal

Reply to: