SSLv2 - do we really need it?

Scott Kitterman ubuntu at
Mon Jul 21 05:23:25 UTC 2008

On Mon, 21 Jul 2008 06:58:41 +0200 Ante Karamatic <ivoks at> wrote:
>I've been working on:
>Two of our SSL libraries have SSLv2 disabled (or non-existing) by
>default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used
>at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
>OpenSSL too. And I think everybody would prefer that over changing
>configuration for each package. I realize that this might be a huge
>change and maybe should be done in Debian, but the impact should be
>minimal (if any).
>Are there any packages/programs that anyone is aware of that still
>don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
>was released)?
>How about 3th party clients? For those cases, sysadmins would prefer
>configuration option in packages.
>I'll continue working on configuration patches of services, but still
>would like to hear opinions on this subject.

V2 should not be considered cryptographically secure as I understand it.  If anything breaks, 
better to break it now than deal with security uploads after release.

Scott K

More information about the ubuntu-server mailing list