SSLv2 - do we really need it?
Scott Kitterman
ubuntu at kitterman.com
Mon Jul 21 06:23:25 BST 2008
On Mon, 21 Jul 2008 06:58:41 +0200 Ante Karamatic <ivoks at grad.hr> wrote:
>Hello
>
>I've been working on:
>
>https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
>
>Two of our SSL libraries have SSLv2 disabled (or non-existing) by
>default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used
>at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
>OpenSSL too. And I think everybody would prefer that over changing
>configuration for each package. I realize that this might be a huge
>change and maybe should be done in Debian, but the impact should be
>minimal (if any).
>
>Are there any packages/programs that anyone is aware of that still
>don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
>was released)?
>
>How about 3th party clients? For those cases, sysadmins would prefer
>configuration option in packages.
>
>I'll continue working on configuration patches of services, but still
>would like to hear opinions on this subject.
V2 should not be considered cryptographically secure as I understand it. If anything breaks,
better to break it now than deal with security uploads after release.
Scott K
More information about the ubuntu-devel
mailing list