SSLv2 - do we really need it?
Neal McBurnett
neal at bcn.boulder.co.us
Sat Jul 26 20:27:52 BST 2008
On Fri, Jul 25, 2008 at 08:29:25AM +0200, Soren Hansen wrote:
> On Thu, Jul 24, 2008 at 11:02:44AM -0700, Steve Langasek wrote:
> >> I believe someone in another thread gave specific examples of 3rd
> >> party stuff that needed SSLv2 to function. Forcing them to compile
> >> OpenSSL themselves seems worse to me.
> > Do you have a pointer to the examples of stuff still needing SSLv2? I
> > hadn't seen any listed on ubuntu-devel.
>
> I've tried looking through the ubuntu-server and ubuntu-devel{,-discuss}
> mailing list archives, and I can't seem to find it. Same for my
> irclogs. I appear to be making it all up. I suppose if noone can come up
> with a single example of anything that requires SSLv2, then I guess it's
> all a moot point and we can just disable it, and deal with the fallout
> if any should turn up.
Well, I had the same thought in my mind, and it led me to something
Steve himself posted earlier:
On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
> On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> > https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
> >
> > Are there any packages/programs that anyone is aware of that still
> > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> > was released)?
>
> There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
> an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
> <http://bugs.debian.org/466477>
>
> Given that the OpenLDAP packages are already /not/ using OpenSSL this
> doesn't apply directly, but there might be other examples of such things in
> the wild that users need to be able to maintain compatibility with.
So I'm confused about what Steve said. I don't fully grok the bug,
but it sounds to me like there is presumed to be an IBM LDAP product
out there that can't be connected to because of lack of sslv2 support
in Ubuntu gnutls. And thus it might have more problems with lack of
sslv2 in OpenSSL - e.g. if there is an Ubuntu LDAP client that uses
OpenSSL that would no longer have sslv2 in Intrepid. Or again maybe
I'm just not grasping the issue in the bug....
Neal McBurnett http://mcburnett.org/neal/
More information about the ubuntu-devel
mailing list