SSLv2 - do we really need it?
Scott Kitterman
ubuntu at kitterman.com
Sat Jul 26 20:41:24 UTC 2008
On Sat, 26 Jul 2008 13:27:52 -0600 Neal McBurnett <neal at bcn.boulder.co.us>
wrote:
>On Fri, Jul 25, 2008 at 08:29:25AM +0200, Soren Hansen wrote:
>> On Thu, Jul 24, 2008 at 11:02:44AM -0700, Steve Langasek wrote:
>> >> I believe someone in another thread gave specific examples of 3rd
>> >> party stuff that needed SSLv2 to function. Forcing them to compile
>> >> OpenSSL themselves seems worse to me.
>> > Do you have a pointer to the examples of stuff still needing SSLv2? I
>> > hadn't seen any listed on ubuntu-devel.
>>
>> I've tried looking through the ubuntu-server and ubuntu-devel{,-discuss}
>> mailing list archives, and I can't seem to find it. Same for my
>> irclogs. I appear to be making it all up. I suppose if noone can come up
>> with a single example of anything that requires SSLv2, then I guess it's
>> all a moot point and we can just disable it, and deal with the fallout
>> if any should turn up.
>
>Well, I had the same thought in my mind, and it led me to something
>Steve himself posted earlier:
>
>On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
>> On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
>> > https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
>> >
>> > Are there any packages/programs that anyone is aware of that still
>> > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
>> > was released)?
>>
>> There is a bug in the Debian BTS about OpenLDAP+gnutls failing to
connect to
>> an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
>> <http://bugs.debian.org/466477>
>>
>> Given that the OpenLDAP packages are already /not/ using OpenSSL this
>> doesn't apply directly, but there might be other examples of such things
in
>> the wild that users need to be able to maintain compatibility with.
>
>So I'm confused about what Steve said. I don't fully grok the bug,
>but it sounds to me like there is presumed to be an IBM LDAP product
>out there that can't be connected to because of lack of sslv2 support
>in Ubuntu gnutls. And thus it might have more problems with lack of
>sslv2 in OpenSSL - e.g. if there is an Ubuntu LDAP client that uses
>OpenSSL that would no longer have sslv2 in Intrepid. Or again maybe
>I'm just not grasping the issue in the bug....
>
In any case, IMO any app still stuck on SSLv2 needs to take note of what
century we are in and either catch up or rest in peace.
Scott K
More information about the ubuntu-server
mailing list