Re: sslv2 and openssl 1.0
On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote:
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
> 1) patch package to disable code that use sslv2, and explain
> why in README.Debian.
> People might complain about old sslv2 clients in case the
> packaged software is a server (telepathy-*, web servers)
> 2) continue using sslv2 until upstream drops it
> (using some unknown flag to enable it at build time)
> In the case that concerns me, it's easy to do 1), but i believe
> it's up to the users to choose, so i'd rather do 2).
> However, i know how to disable it with -DOPENSSL_NO_SSL2,
> but not how to enable it.
> Jérémy Lal
I think that given RFC 6176, disabling it is the right thing to do. It's
ancient, obsolete and cryptographically insecure. Let it die. Also now, at
the start of a development cycle is the best time to being doing it anyway.