SSLv2 - do we really need it?
steve.langasek at ubuntu.com
Sat Jul 26 20:16:32 UTC 2008
On Sat, Jul 26, 2008 at 01:27:52PM -0600, Neal McBurnett wrote:
> On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote:
> > On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote:
> > > https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2
> > > Are there any packages/programs that anyone is aware of that still
> > > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3
> > > was released)?
> > There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to
> > an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2:
> > <http://bugs.debian.org/466477>
> > Given that the OpenLDAP packages are already /not/ using OpenSSL this
> > doesn't apply directly, but there might be other examples of such things in
> > the wild that users need to be able to maintain compatibility with.
> So I'm confused about what Steve said. I don't fully grok the bug,
> but it sounds to me like there is presumed to be an IBM LDAP product
> out there that can't be connected to because of lack of sslv2 support
> in Ubuntu gnutls. And thus it might have more problems with lack of
> sslv2 in OpenSSL - e.g. if there is an Ubuntu LDAP client that uses
> OpenSSL that would no longer have sslv2 in Intrepid. Or again maybe
> I'm just not grasping the issue in the bug....
TTBOMK, the only LDAP client library we ship in the archive is the OpenLDAP
one, and that one uses GnuTLS in the Debian and Ubuntu builds.
If there are other corner cases where compatibility is an issue, they're
almost certainly with protocols other than LDAP.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the ubuntu-server