sslv2 and openssl 1.0

To: debian-devel@lists.debian.org
Subject: sslv2 and openssl 1.0
From: Jérémy Lal <kapouer@melix.org>
Date: Sun, 03 Apr 2011 02:52:17 +0200
Message-id: <[🔎] 4D97C4C1.7040202@melix.org>
Reply-to: kapouer@melix.org

Hi,

openssl 1.0.0-d is in unstable and by default disables
sslv2 methods, so what's the correct decision to make, regarding
packages that use ssl as client or server :

1) patch package to disable code that use sslv2, and explain
   why in README.Debian.
   People might complain about old sslv2 clients in case the
   packaged software is a server (telepathy-*, web servers)

2) continue using sslv2 until upstream drops it
   (using some unknown flag to enable it at build time)

In the case that concerns me, it's easy to do 1), but i believe
it's up to the users to choose, so i'd rather do 2).
However, i know how to disable it with -DOPENSSL_NO_SSL2,
but not how to enable it.

Jérémy Lal

Reply to:

Follow-Ups:
- Re: sslv2 and openssl 1.0
  - From: Scott Kitterman <debian@kitterman.com>
- Re: sslv2 and openssl 1.0
  - From: Simon McVittie <smcv@debian.org>
- Re: sslv2 and openssl 1.0
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: sslv2 and openssl 1.0
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: oops I sent a courtesy copy in violation of the code of conduct
Next by Date: Re: sslv2 and openssl 1.0
Previous by thread: Re: oops I sent a courtesy copy in violation of the code of conduct
Next by thread: Re: sslv2 and openssl 1.0
Index(es):
- Date
- Thread