[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#767663: openssl: completly drop SSLv3 support in jessie

On Sat, Nov 08, 2014 at 09:19:18PM +0000, Emilio Pozuelo Monfort wrote:
> On 08/11/14 18:55, Kurt Roeckx wrote:
> >On Sat, Nov 08, 2014 at 03:38:35PM +0000, Julien Cristau wrote:
> >>On Sat, Nov  1, 2014 at 20:21:21 +0100, Kurt Roeckx wrote:
> >>
> >>>Package: release.debian.org
> >>>Severity: normal
> >>>
> >>>Hi,
> >>>
> >>>SSLv3 has been disabled in jessie already, at least for normal
> >>>usage.  But there is a way to explictly create a socket that only
> >>>support SSLv3 and I would like to disable that too.
> >>>
> >>No, it's much too late for this, sorry.
> >
> >Will you accept patches for other packages that stop using the
> >SSLv3 methods?
> 
> If the changes are sensible (e.g. not too invasive), sure. We'll consider
> that in a case-by-case basis.

It depends on your defenition of invasive.  They're all very
simple changes, it's stopping to use functions they should never
have used in the first place, and only use the SSLv23 methods
instead.

I've filed 2 bugs with patches about this today:
#768611: pyton2.7
#768562: curl

(They would fix all those RC bugs people are filing)

As you can see in both patches, they're really easy.  But they
both have the potential to break reverse dependencies.  And I want
to break them, because they are broken.


Kurt
Reply to: