embedding openssl source in sslcan

To: debian-release@lists.debian.org, debian-security@lists.debian.org, pkg-openssl-devel@lists.alioth.debian.org
Cc: Marvin Stark <marv@der-marv.de>
Subject: embedding openssl source in sslcan
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Thu, 22 Dec 2016 13:37:11 +0100
Message-id: <[🔎] 20161222123710.pbppawo4k6trfzyy@breakpoint.cc>

tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
source?

sslscan [0] as packaged in Debian currently relies on external libssl as
provided by the openssl package. The openssl package disables support
compression, SSLv2 and SSLv3 which is good but it also means that
sslscan can not detect a SSL implementation that is still providing
support for one of these deprecated protocols or compression.
One could say that it is not required to test for SSLv2 because if
libssl does not support it then it is not possible for an application to
offer it. However libssl is not the only SSL toolkit in Debian and one
might need to scan a non-Debian / older machine.

[0] https://github.com/rbsec/sslscan

Sebastian

Reply to:

Follow-Ups:
- Re: embedding openssl source in sslcan
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: HTTPS needs to be implemented for updating
Next by Date: Call for testing: upcoming squid3 security update
Previous by thread: Re: HTTPS needs to be implemented for updating
Next by thread: Re: embedding openssl source in sslcan
Index(es):
- Date
- Thread