SSLv2 - do we really need it?

Kees Cook kees at
Mon Jul 21 17:28:37 BST 2008


On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
> On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
> > OpenSSL too. And I think everybody would prefer that over changing
> > configuration for each package. I realize that this might be a huge
> > change and maybe should be done in Debian, but the impact should be
> > minimal (if any).
> > Are there any packages/programs that anyone is aware of that still
> > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> > was released)?
> There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
> an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
> <>
> Given that the OpenLDAP packages are already /not/ using OpenSSL this
> doesn't apply directly, but there might be other examples of such things in
> the wild that users need to be able to maintain compatibility with.

If we consider such things to be a corner-cases, I would say that
disabling SSLv2 in openssl makes sense -- we should provide a safe set
of crypto function by default.


Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list