really drop SSLv2
Scott Kitterman
ubuntu at kitterman.com
Mon Jul 19 21:22:51 UTC 2010
"Kees Cook" <kees at ubuntu.com> wrote:
>In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The
>conclusion seemed favorable for it, and so it was attempted[2] in openssl
>0.9.8g-10.1ubuntu2 for Intrepid.
>
>Unfortunately, this change seems to have had no affect on the build, and
>SSLv2 has remained available. I would like to propose fixing this for real
>now, and documenting the change in the SSL man pages.
>
>I'd like to point out that even as far back as Dapper, GnuTLS has not
>supported SSLv2; IMO, it is high time to make it go away for OpenSSL too.
>
>The attached debdiff would disallow the use of SSLv2 in any mode without
>wrecking the openssl library ABI.
>
>Thoughts?
>
>-Kees
>
>[1] https://lists.ubuntu.com/archives/ubuntu-server/2008-July/001976.html
Yes. Please. Make it die.
Scott K
More information about the ubuntu-server
mailing list