SSLv2 - do we really need it?
Kees Cook
kees at ubuntu.com
Mon Jul 21 17:28:37 BST 2008
Hi,
On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
> On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
> > OpenSSL too. And I think everybody would prefer that over changing
> > configuration for each package. I realize that this might be a huge
> > change and maybe should be done in Debian, but the impact should be
> > minimal (if any).
>
> > Are there any packages/programs that anyone is aware of that still
> > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> > was released)?
>
> There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
> an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
> <http://bugs.debian.org/466477>
>
> Given that the OpenLDAP packages are already /not/ using OpenSSL this
> doesn't apply directly, but there might be other examples of such things in
> the wild that users need to be able to maintain compatibility with.
If we consider such things to be a corner-cases, I would say that
disabling SSLv2 in openssl makes sense -- we should provide a safe set
of crypto function by default.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list