SSLv2 - do we really need it?
Scott Kitterman
ubuntu at kitterman.com
Thu Jul 24 20:03:47 UTC 2008
On Wednesday 23 July 2008 21:50, Michael Casadevall wrote:
Top posting fixed ...
> On Tue, Jul 22, 2008 at 9:43 AM, Ante Karamatic <ivoks at grad.hr> wrote:
> > On Tue, 22 Jul 2008 08:22:13 -0500
> >
> > "Dustin Kirkland" <kirkland at canonical.com> wrote:
> > > And as soon as we get to the point where no packages depend on that,
> > > we remove it?
> >
> > Our packages shouldn't be the problem (I doubt we have sslv2-only
> > clients or servers). If there are problematic packages, then by
> > definition those problems are bugs.
> >
> > Problems are third party packages, like XYZ IMAP client from ABCD
> > company which supports only SSLv2 (I'm not aware of any program like
> > that, but you get my point). For sysadmins of servers which have
> > clients like that, openssl with SSLv2 is must have.
> >
> > I like the idea of additional package in universe. But how much
> > problems could that produce?
> >
> Well, if a user has both Universe and Main enabled, if we have a
> openssl-sslv2, which is the same package expect with SSLv2 compiled in, all
> it needs is a Replaces/Conflicts/Provides which removes the sslv3-only
> package.
>
> That way, any users who need it (and those who need likely already know)
> are simply an aptitiude command away from having the necessary support.
>
So SSLv2 is not sufficiently cryptographically secure for Main, but it's OK
for Universe? I know Canonical does not promise security support for
Universe and it's mostly done by the community, but I don't think there is a
difference in the desired security level between Main and Universe.
My view is that if SSLv2 is OK for Universe, we should just leave it as is and
suck up the pain of updating the individual applications.
Scott K
More information about the ubuntu-server
mailing list