Le 2016/03/17 09:19 +0100, Jan Holzhueter a écrit: > well it broke ABI. Which kind of sucks too. > http://ptribble.blogspot.de/2016/03/moving-goalposts-with-openssl.html
What's pathetic is that distro makers are now whining that they are forced to get their fingers out of their collective asses, because, boo-hoo, the defaults have changed. Whereas not so long ago, people were whining that OpenSSL sucked because, boo-hoo, its defaults never changed. After checking my calendar again, yep, it's 2016. OpenSSL have been saying for at least 2 years that SSLv2 should have been disabled! It's not NEWS that SSLv2 is broken! So WHY was it kept enabled? Because it's just easier to use defaults, so then they can reject responsibility to somebody else? «OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through Configure and config, and the following lists some of them.» https://wiki.openssl.org/index.php/Compilation_and_Installation So, here's a thought: stop assuming that OpenSSL, a project that's been underfunded until it got in the news, will magically deal with every.issue with old protocols. Packagers should their brains: if they don't have a compelling reason to keep an old crufty protocol, why is it enabled? Laurent
