SSLv2 - do we really need it?
Ante Karamatic
ivoks at grad.hr
Mon Jul 21 18:25:56 UTC 2008
On Mon, 21 Jul 2008 09:42:40 -0700
Nick Barcet <nick.barcet at canonical.com> wrote:
> While I fully agree about this on the principle, I would disagree if
> the method was to disable this at compile time in OpenSSL. I would
> consider a conf file modification acceptable for the corner cases,
> not a recompile. I am not sure which method was suggested by Ante to
> do the change, though.
I would prefer disabling SSLv2 in OpenSSL at compile time, cause
disabling SSLv2 in services isn't very easy with so strict packaging :)
And, disabling it in openssl would solve the problem everywhere.
I'm not convinced that we should try keeping up with old or buggy
clients which don't support TLS1 or SSLv3.
Until we decide on this, I'll continue patching packages in such a way
that upgrades wouldn't change anything (SSLv2 would still be enabled),
but new installs would have SSLv2 disabled (with an option to enable it;
explained in README.Debian). There will be cases, like vsftpd, where
this won't be possible, and SSLv2 will be disabled by default (even on
upgrades). Disabling SSLv2 on upgrades on all packages would make this
job *a lot* easier.
In case I don't attend the meeting tomorrow, my patches will be
available at http://www.grad.hr/~ivoks/ubuntu.
More information about the ubuntu-server
mailing list