Bug#774299: wheezy-pu: openssl: disable SSLv3 by default
On Wed, Dec 31, 2014 at 04:41:29PM +0100, Kurt Roeckx wrote:
> On Wed, Dec 31, 2014 at 02:00:23PM +0000, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> >
> > On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote:
> > > I would like to disable SSLv3 by default in wheezy.
>
> > Do we know how well other packages in wheezy cope with that? (I'm going
> > to guess "not as well as in jessie".)
>
> I have no reason to believe there is a difference between jessie
> and wheezy in how packages cope with SSLv3 being disabled. Please
> note that this only affects the SSLv23_* methods and that it just
> sets SSL_OP_NO_SSLv3 by default now. In jessie SSLv3 is just
> disabled, for wheezy I would change it to disabled by default
> with a way to turn it back on.
>
> What could break is that apache for instance will now disable
> SSLv3 by default even though the config file doesn't seem to
> indicate that it's disabled. That could then result in it not
> working with some clients that do not support TLSv1 or newer. But
> that is also already the case in jessie.
>
> One package that might be affected by this change is that python
> has a test suite that tries all possible combinations of settings
> and the test suite is probably going to fail because it's going to
> expect to be able to set up an SSLv3 connection.
I will rebuild python in wheezy to check that.
Cheers,
Moritz
Reply to: