Re: sslv2 and openssl 1.0

To: Jérémy Lal <kapouer@melix.org>
Cc: debian-devel@lists.debian.org
Subject: Re: sslv2 and openssl 1.0
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 3 Apr 2011 13:29:39 +0200
Message-id: <[🔎] 20110403112939.GA15954@roeckx.be>
In-reply-to: <[🔎] 4D97C4C1.7040202@melix.org>
References: <[🔎] 4D97C4C1.7040202@melix.org>

On Sun, Apr 03, 2011 at 02:52:17AM +0200, Jérémy Lal wrote:
> Hi,
> 
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
> 
> 1) patch package to disable code that use sslv2, and explain
>    why in README.Debian.
>    People might complain about old sslv2 clients in case the
>    packaged software is a server (telepathy-*, web servers)
> 
> 2) continue using sslv2 until upstream drops it
>    (using some unknown flag to enable it at build time)

There is no way to enable sslv2 anymore in the openssl library.  I
will not re-add support for sslv2.

I doubt that there are many applications that only work with sslv2,
and if there are it's about time they start getting fixed to support
at least sslv3.  Supporting tls would be even better.

Please note that any ssl connections has a way to indicate which
versions of ssl/tls they support.  If they already use a library
like openssl to do ssl, and didn't force the library to only do
sslv2, there shouldn't be a problem.

Kurt

Reply to:

References:
- sslv2 and openssl 1.0
  - From: Jérémy Lal <kapouer@melix.org>

Prev by Date: Re: Bits from the Release Team - Kicking off Wheezy
Next by Date: Re: sslv2 and openssl 1.0
Previous by thread: Re: sslv2 and openssl 1.0
Next by thread: Re: sslv2 and openssl 1.0
Index(es):
- Date
- Thread