Re: embedding openssl source in sslcan

[Raphael Hertzog <hertzog@debian.org>]

On Sat, 31 Dec 2016, Julien Cristau wrote:
> On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote:
> 
> > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
> > source?
> > 
> > sslscan [0] as packaged in Debian currently relies on external libssl as
> > provided by the openssl package. The openssl package disables support
> > compression, SSLv2 and SSLv3 which is good but it also means that
> > sslscan can not detect a SSL implementation that is still providing
> > support for one of these deprecated protocols or compression.
> > One could say that it is not required to test for SSLv2 because if
> > libssl does not support it then it is not possible for an application to
> > offer it. However libssl is not the only SSL toolkit in Debian and one
> > might need to scan a non-Debian / older machine.
> > 
> Is this really something we need to be shipping?  If yes, I'd personally
> really like this to get an explicit exemption from normal policy by the
> security team, so please talk to them (debian-security@ldo is not it).

"need" is somewhat hard to define, but to give an additional data point,
it's one of the things that we do in Kali to make it more useful for
security professionals so it would be nice if it we could do it in Debian
as well.

That said sslscan is not the only tool where it could be useful and
packaging an alternate openssl-insecure should be considered too if it's
feasible (at least so that we can have alternative versions of the openssl
command line tools that can continue to support SSL2 and SSL3).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/