Bug#767663: openssl: completly drop SSLv3 support in jessie
On Sat, Nov 08, 2014 at 10:38:48PM +0100, Kurt Roeckx wrote:
> On Sat, Nov 08, 2014 at 09:19:18PM +0000, Emilio Pozuelo Monfort wrote:
> > On 08/11/14 18:55, Kurt Roeckx wrote:
> > >Will you accept patches for other packages that stop using the
> > >SSLv3 methods?
> >
> > If the changes are sensible (e.g. not too invasive), sure. We'll consider
> > that in a case-by-case basis.
>
> It depends on your defenition of invasive. They're all very
> simple changes, it's stopping to use functions they should never
> have used in the first place, and only use the SSLv23 methods
> instead.
>
> I've filed 2 bugs with patches about this today:
> #768611: pyton2.7
> #768562: curl
>
> (They would fix all those RC bugs people are filing)
>
> As you can see in both patches, they're really easy. But they
> both have the potential to break reverse dependencies. And I want
> to break them, because they are broken.
So people having been fixing things at least in unstable, not sure
how many of those made it to testing. That is, they changed from
supporting SSLv3 only to TLS1+. But those changes actually make
them incompatible with the verion in other branches that still
only use SSLv3. I would argue that that is an RC bug since the
version from different branches can't talk to each other using SSL
anymore.
I would actually like to fix those packages in stable too.
Kurt
Reply to: