Bug#803259: support for deprecated openssl features

Subject: Bug#803259: support for deprecated openssl features
From: stbuehler@web.de (Stefan Bühler)
Date: Thu, 18 May 2017 15:49:34 +0200
Message-id: <[🔎] 239166d3-e3e6-fdfa-516e-d65a41326987@stbuehler.de>

Hi,

I think a separate openssl-insecure package with an (possibly statically
linked) "/usr/bin/openssl-insecure" binary should be safe enough that
people don't "accidentally" use it.

If you would want to really make sure it isn't abused you'd put it
somewhere in /usr/lib/openssl-insecure/.

Building it from the same source as the standard openssl binary is the
higher risk in my opinion: what if some of the insecure build options
suddenly get applied to the main build?

Also upstream might remove some of the deprecated/broken features from
the code completely, in which case testssl.sh probably needs to learn to
use multiple binaries.

JFYI: I think the testssl.sh upstream openssl binary also has some other
patches, e.g. enabling IPv6.

cheers,
Stefan

Reply to:

Prev by Date: Comparez et Trouvez un Artisan Qualifié
Next by Date: New comer in pkg-security
Previous by thread: Comparez et Trouvez un Artisan Qualifié
Next by thread: New comer in pkg-security
Index(es):
- Date
- Thread