really drop SSLv2
Stephan Hermann
sh at sourcecode.de
Tue Jul 20 07:37:27 BST 2010
On Mon, 2010-07-19 at 14:12 -0700, Kees Cook wrote:
> In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The
> conclusion seemed favorable for it, and so it was attempted[2] in openssl
> 0.9.8g-10.1ubuntu2 for Intrepid.
>
> Unfortunately, this change seems to have had no affect on the build, and
> SSLv2 has remained available. I would like to propose fixing this for real
> now, and documenting the change in the SSL man pages.
>
> I'd like to point out that even as far back as Dapper, GnuTLS has not
> supported SSLv2; IMO, it is high time to make it go away for OpenSSL too.
>
> The attached debdiff would disallow the use of SSLv2 in any mode without
> wrecking the openssl library ABI.
>
Yes please, make it go away.
People who are configuring mod_ssl with openssl the wrong way, always
have problems when a security audit comes along.
SSLv2 is deprecated and should never be used in any scenario.
Regards,
\sh
More information about the ubuntu-devel
mailing list