SSLv2 - do we really need it?

Steve Langasek steve.langasek at canonical.com
Mon Jul 21 17:51:48 BST 2008


On Mon, Jul 21, 2008 at 09:28:37AM -0700, Kees Cook wrote:
> On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
> > On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> > > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
> > > OpenSSL too. And I think everybody would prefer that over changing
> > > configuration for each package. I realize that this might be a huge
> > > change and maybe should be done in Debian, but the impact should be
> > > minimal (if any).

> > > Are there any packages/programs that anyone is aware of that still
> > > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> > > was released)?

> > There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
> > an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
> > <http://bugs.debian.org/466477>

> > Given that the OpenLDAP packages are already /not/ using OpenSSL this
> > doesn't apply directly, but there might be other examples of such things in
> > the wild that users need to be able to maintain compatibility with.

> If we consider such things to be a corner-cases, I would say that
> disabling SSLv2 in openssl makes sense -- we should provide a safe set
> of crypto function by default.

How will users who need SSLv2 support re-enable it?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org



More information about the ubuntu-devel mailing list