Bug#797926: transition: openssl: remove SSLv3 methods

To: submit@bugs.debian.org
Subject: Bug#797926: transition: openssl: remove SSLv3 methods
From: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 3 Sep 2015 20:51:05 +0200
Message-id: <[🔎] 20150903185104.GA15837@roeckx.be>
Reply-to: Kurt Roeckx <kurt@roeckx.be>, 797926@bugs.debian.org

Package: release.debian.org

Hi,

I would like to remove the last support for SSLv3 in openssl.
This means that I'll be dropping 3 symbols from the shared
library:
SSLv3_method();
SSLv3_server_method();
SSLv3_client_method();

Those can still be used to set up SSLv3 connections, while using
the SSLv23_* methods won't talk SSLv3.

This change will result in the define OPENSSL_NO_SSL3_METHOD
becoming defined.  Some software in Debian already checks for
either that define or the presence of the functions to enable
support for it or not.  I find those changes very unfortunate,
they should just have dropped SSLv3 support completly.

My question is how you want to proceed with this.  I see a few
options:
- Change the soname, rebuild everything against that new soname.
- Just drop the symbols, adding Breaks on at least some
  packages like curl and python that are known to need a rebuild
  against the changed headers.

As far as I know all the major packages making use of those
symbols should be fixed now, or have a fix available.


Kurt

Reply to:

Follow-Ups:
- Bug#797926: transition: openssl: remove SSLv3 methods
  - From: Jonathan Wiltshire <jmw@debian.org>
- Bug#797926: transition: openssl: remove SSLv3 methods
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#797924: nmu: boost1.58_1.58.0+dfsg-3
Next by Date: Bug#797926: transition: openssl: remove SSLv3 methods
Previous by thread: Bug#797924: nmu: boost1.58_1.58.0+dfsg-3
Next by thread: Bug#797926: transition: openssl: remove SSLv3 methods
Index(es):
- Date
- Thread