SSLv2 - do we really need it?

Ante Karamatic ivoks at grad.hr
Mon Jul 21 05:58:41 BST 2008


Hello

I've been working on:

https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2

Two of our SSL libraries have SSLv2 disabled (or non-existing) by
default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used
at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in
OpenSSL too. And I think everybody would prefer that over changing
configuration for each package. I realize that this might be a huge
change and maybe should be done in Debian, but the impact should be
minimal (if any).

Are there any packages/programs that anyone is aware of that still
don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
was released)?

How about 3th party clients? For those cases, sysadmins would prefer
configuration option in packages.

I'll continue working on configuration patches of services, but still
would like to hear opinions on this subject.

Thanks



More information about the ubuntu-server mailing list