Re: sslv2 and openssl 1.0
If there are any packages that uses SSLv2 by default you might want to file a security bug to get them fixed. I believe SSLv2 is really that bad, it just gives a false sense of security. /Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mxk5hi3i@latte.josefsson.org
Re: sslv2 and openssl 1.0
> For the record, the various Telepathy daemons typically act as SSL clients > (where their various protocols support SSL at all), rather than SSL > servers; for instance, telepathy-gabble not supporting SSLv2 would only be > a problem if connecting to a SSLv2-only XMPP server. Well since ssl2 is not good, i would consider filling a bugreport to any of those servers, if they exist. -- Salvo Tomaselli signature.asc Description: This is a digitally signed message part.
Re: sslv2 and openssl 1.0
On Sun, Apr 03, 2011 at 02:52:17AM +0200, Jérémy Lal wrote: > Hi, > > openssl 1.0.0-d is in unstable and by default disables > sslv2 methods, so what's the correct decision to make, regarding > packages that use ssl as client or server : > > 1) patch package to disable code that use sslv2, and explain >why in README.Debian. >People might complain about old sslv2 clients in case the >packaged software is a server (telepathy-*, web servers) > > 2) continue using sslv2 until upstream drops it >(using some unknown flag to enable it at build time) There is no way to enable sslv2 anymore in the openssl library. I will not re-add support for sslv2. I doubt that there are many applications that only work with sslv2, and if there are it's about time they start getting fixed to support at least sslv3. Supporting tls would be even better. Please note that any ssl connections has a way to indicate which versions of ssl/tls they support. If they already use a library like openssl to do ssl, and didn't force the library to only do sslv2, there shouldn't be a problem. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110403112939.ga15...@roeckx.be
Re: sslv2 and openssl 1.0
On Sun, 03 Apr 2011 at 02:52:17 +0200, Jérémy Lal wrote: >People might complain about old sslv2 clients in case the >packaged software is a server (telepathy-*, web servers) For the record, the various Telepathy daemons typically act as SSL clients (where their various protocols support SSL at all), rather than SSL servers; for instance, telepathy-gabble not supporting SSLv2 would only be a problem if connecting to a SSLv2-only XMPP server. Current work on end-to-end encryption is likely to involve tunnelling TLS through IM protocols, but I'd expect that to be TLS 1.0 rather than anything older. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110403110625.ga4...@reptile.pseudorandom.co.uk
Re: sslv2 and openssl 1.0
On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote: > Hi, > > openssl 1.0.0-d is in unstable and by default disables > sslv2 methods, so what's the correct decision to make, regarding > packages that use ssl as client or server : > > 1) patch package to disable code that use sslv2, and explain >why in README.Debian. >People might complain about old sslv2 clients in case the >packaged software is a server (telepathy-*, web servers) > > 2) continue using sslv2 until upstream drops it >(using some unknown flag to enable it at build time) > > In the case that concerns me, it's easy to do 1), but i believe > it's up to the users to choose, so i'd rather do 2). > However, i know how to disable it with -DOPENSSL_NO_SSL2, > but not how to enable it. > > Jérémy Lal I think that given RFC 6176, disabling it is the right thing to do. It's ancient, obsolete and cryptographically insecure. Let it die. Also now, at the start of a development cycle is the best time to being doing it anyway. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110403.32345.deb...@kitterman.com
sslv2 and openssl 1.0
Hi, openssl 1.0.0-d is in unstable and by default disables sslv2 methods, so what's the correct decision to make, regarding packages that use ssl as client or server : 1) patch package to disable code that use sslv2, and explain why in README.Debian. People might complain about old sslv2 clients in case the packaged software is a server (telepathy-*, web servers) 2) continue using sslv2 until upstream drops it (using some unknown flag to enable it at build time) In the case that concerns me, it's easy to do 1), but i believe it's up to the users to choose, so i'd rather do 2). However, i know how to disable it with -DOPENSSL_NO_SSL2, but not how to enable it. Jérémy Lal -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d97c4c1.7040...@melix.org
