[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sslv2 and openssl 1.0

On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote:
> Hi,
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
> 1) patch package to disable code that use sslv2, and explain
>    why in README.Debian.
>    People might complain about old sslv2 clients in case the
>    packaged software is a server (telepathy-*, web servers)
> 2) continue using sslv2 until upstream drops it
>    (using some unknown flag to enable it at build time)
> In the case that concerns me, it's easy to do 1), but i believe
> it's up to the users to choose, so i'd rather do 2).
> However, i know how to disable it with -DOPENSSL_NO_SSL2,
> but not how to enable it.
> Jérémy Lal

I think that given RFC 6176, disabling it is the right thing to do.  It's 
ancient, obsolete and cryptographically insecure.  Let it die.  Also now, at 
the start of a development cycle is the best time to being doing it anyway.

Scott K

Reply to: