SSLv2 - do we really need it?

Scott Kitterman ubuntu at
Sat Jul 26 20:41:24 UTC 2008

On Sat, 26 Jul 2008 13:27:52 -0600 Neal McBurnett <neal at> 
>On Fri, Jul 25, 2008 at 08:29:25AM +0200, Soren Hansen wrote:
>> On Thu, Jul 24, 2008 at 11:02:44AM -0700, Steve Langasek wrote: 
>> >> I believe someone in another thread gave specific examples of 3rd
>> >> party stuff that needed SSLv2 to function.  Forcing them to compile
>> >> OpenSSL themselves seems worse to me.
>> > Do you have a pointer to the examples of stuff still needing SSLv2?  I
>> > hadn't seen any listed on ubuntu-devel.
>> I've tried looking through the ubuntu-server and ubuntu-devel{,-discuss}
>> mailing list archives, and I can't seem to find it.  Same for my
>> irclogs. I appear to be making it all up. I suppose if noone can come up
>> with a single example of anything that requires SSLv2, then I guess it's
>> all a moot point and we can just disable it, and deal with the fallout
>> if any should turn up.
>Well, I had the same thought in my mind, and it led me to something
>Steve himself posted earlier:
>On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
>> On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
>> >
>> >
>> > Are there any packages/programs that anyone is aware of that still
>> > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
>> > was released)?
>> There is a bug in the Debian BTS about OpenLDAP+gnutls failing to 
connect to
>> an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
>> <>
>> Given that the OpenLDAP packages are already /not/ using OpenSSL this
>> doesn't apply directly, but there might be other examples of such things 
>> the wild that users need to be able to maintain compatibility with.
>So I'm confused about what Steve said.  I don't fully grok the bug,
>but it sounds to me like there is presumed to be an IBM LDAP product
>out there that can't be connected to because of lack of sslv2 support
>in Ubuntu gnutls.  And thus it might have more problems with lack of
>sslv2 in OpenSSL - e.g. if there is an Ubuntu LDAP client that uses
>OpenSSL that would no longer have sslv2 in Intrepid.  Or again maybe
>I'm just not grasping the issue in the bug....

In any case, IMO any app still stuck on SSLv2 needs to take note of what 
century we are in and either catch up or rest in peace.

Scott K

More information about the ubuntu-server mailing list