Re: sslv2 and openssl 1.0

To: debian-devel@lists.debian.org
Subject: Re: sslv2 and openssl 1.0
From: Scott Kitterman <debian@kitterman.com>
Date: Sat, 2 Apr 2011 22:23:29 -0400
Message-id: <[🔎] 201104022223.32345.debian@kitterman.com>
In-reply-to: <[🔎] 4D97C4C1.7040202@melix.org>
References: <[🔎] 4D97C4C1.7040202@melix.org>

On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote:
> Hi,
> 
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
> 
> 1) patch package to disable code that use sslv2, and explain
>    why in README.Debian.
>    People might complain about old sslv2 clients in case the
>    packaged software is a server (telepathy-*, web servers)
> 
> 2) continue using sslv2 until upstream drops it
>    (using some unknown flag to enable it at build time)
> 
> In the case that concerns me, it's easy to do 1), but i believe
> it's up to the users to choose, so i'd rather do 2).
> However, i know how to disable it with -DOPENSSL_NO_SSL2,
> but not how to enable it.
> 
> Jérémy Lal

I think that given RFC 6176, disabling it is the right thing to do.  It's 
ancient, obsolete and cryptographically insecure.  Let it die.  Also now, at 
the start of a development cycle is the best time to being doing it anyway.

Scott K

Reply to:

References:
- sslv2 and openssl 1.0
  - From: Jérémy Lal <kapouer@melix.org>

Prev by Date: sslv2 and openssl 1.0
Next by Date: Re: oops I sent a courtesy copy in violation of the code of conduct
Previous by thread: sslv2 and openssl 1.0
Next by thread: Re: sslv2 and openssl 1.0
Index(es):
- Date
- Thread