On Wed, Dec 31, 2014 at 02:00:23PM +0000, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Wed, 2014-12-31 at 13:52 +0100, Kurt Roeckx wrote: > > I would like to disable SSLv3 by default in wheezy. > > Do we know how well other packages in wheezy cope with that? (I'm going > to guess "not as well as in jessie".)
I have no reason to believe there is a difference between jessie and wheezy in how packages cope with SSLv3 being disabled. Please note that this only affects the SSLv23_* methods and that it just sets SSL_OP_NO_SSLv3 by default now. In jessie SSLv3 is just disabled, for wheezy I would change it to disabled by default with a way to turn it back on. What could break is that apache for instance will now disable SSLv3 by default even though the config file doesn't seem to indicate that it's disabled. That could then result in it not working with some clients that do not support TLSv1 or newer. But that is also already the case in jessie. One package that might be affected by this change is that python has a test suite that tries all possible combinations of settings and the test suite is probably going to fail because it's going to expect to be able to set up an SSLv3 connection. > > Attached is a debdiff. > > +openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium > > That's at least confusing. Right, I should probably change that to wheezy instead. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141231154129.ga18...@roeckx.be