SSLv2 - do we really need it?
Steve Langasek
steve.langasek at ubuntu.com
Mon Jul 21 07:45:22 BST 2008
On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> I've been working on:
> https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
> Two of our SSL libraries have SSLv2 disabled (or non-existing) by
> default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used
> at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
> OpenSSL too. And I think everybody would prefer that over changing
> configuration for each package. I realize that this might be a huge
> change and maybe should be done in Debian, but the impact should be
> minimal (if any).
> Are there any packages/programs that anyone is aware of that still
> don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> was released)?
There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
<http://bugs.debian.org/466477>
Given that the OpenLDAP packages are already /not/ using OpenSSL this
doesn't apply directly, but there might be other examples of such things in
the wild that users need to be able to maintain compatibility with.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the ubuntu-devel
mailing list