FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-03-2011, 12:52 AM
Jérémy Lal
 
Default sslv2 and openssl 1.0

Hi,

openssl 1.0.0-d is in unstable and by default disables
sslv2 methods, so what's the correct decision to make, regarding
packages that use ssl as client or server :

1) patch package to disable code that use sslv2, and explain
why in README.Debian.
People might complain about old sslv2 clients in case the
packaged software is a server (telepathy-*, web servers)

2) continue using sslv2 until upstream drops it
(using some unknown flag to enable it at build time)

In the case that concerns me, it's easy to do 1), but i believe
it's up to the users to choose, so i'd rather do 2).
However, i know how to disable it with -DOPENSSL_NO_SSL2,
but not how to enable it.

Jérémy Lal


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D97C4C1.7040202@melix.org">http://lists.debian.org/4D97C4C1.7040202@melix.org
 
Old 04-03-2011, 02:23 AM
Scott Kitterman
 
Default sslv2 and openssl 1.0

On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote:
> Hi,
>
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
>
> 1) patch package to disable code that use sslv2, and explain
> why in README.Debian.
> People might complain about old sslv2 clients in case the
> packaged software is a server (telepathy-*, web servers)
>
> 2) continue using sslv2 until upstream drops it
> (using some unknown flag to enable it at build time)
>
> In the case that concerns me, it's easy to do 1), but i believe
> it's up to the users to choose, so i'd rather do 2).
> However, i know how to disable it with -DOPENSSL_NO_SSL2,
> but not how to enable it.
>
> Jérémy Lal

I think that given RFC 6176, disabling it is the right thing to do. It's
ancient, obsolete and cryptographically insecure. Let it die. Also now, at
the start of a development cycle is the best time to being doing it anyway.

Scott K


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201104022223.32345.debian@kitterman.com">http://lists.debian.org/201104022223.32345.debian@kitterman.com
 
Old 04-03-2011, 11:06 AM
Simon McVittie
 
Default sslv2 and openssl 1.0

On Sun, 03 Apr 2011 at 02:52:17 +0200, Jérémy Lal wrote:
> People might complain about old sslv2 clients in case the
> packaged software is a server (telepathy-*, web servers)

For the record, the various Telepathy daemons typically act as SSL clients
(where their various protocols support SSL at all), rather than SSL servers;
for instance, telepathy-gabble not supporting SSLv2 would only be a problem
if connecting to a SSLv2-only XMPP server.

Current work on end-to-end encryption is likely to involve tunnelling TLS
through IM protocols, but I'd expect that to be TLS 1.0 rather than anything
older.

S


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110403110625.GA4333@reptile.pseudorandom.co.uk"> http://lists.debian.org/20110403110625.GA4333@reptile.pseudorandom.co.uk
 
Old 04-03-2011, 11:21 AM
Salvo Tomaselli
 
Default sslv2 and openssl 1.0

> For the record, the various Telepathy daemons typically act as SSL clients
> (where their various protocols support SSL at all), rather than SSL
> servers; for instance, telepathy-gabble not supporting SSLv2 would only be
> a problem if connecting to a SSLv2-only XMPP server.
Well since ssl2 is not good, i would consider filling a bugreport to any of
those servers, if they exist.


--
Salvo Tomaselli
 
Old 04-03-2011, 11:29 AM
Kurt Roeckx
 
Default sslv2 and openssl 1.0

On Sun, Apr 03, 2011 at 02:52:17AM +0200, Jérémy Lal wrote:
> Hi,
>
> openssl 1.0.0-d is in unstable and by default disables
> sslv2 methods, so what's the correct decision to make, regarding
> packages that use ssl as client or server :
>
> 1) patch package to disable code that use sslv2, and explain
> why in README.Debian.
> People might complain about old sslv2 clients in case the
> packaged software is a server (telepathy-*, web servers)
>
> 2) continue using sslv2 until upstream drops it
> (using some unknown flag to enable it at build time)

There is no way to enable sslv2 anymore in the openssl library. I
will not re-add support for sslv2.

I doubt that there are many applications that only work with sslv2,
and if there are it's about time they start getting fixed to support
at least sslv3. Supporting tls would be even better.

Please note that any ssl connections has a way to indicate which
versions of ssl/tls they support. If they already use a library
like openssl to do ssl, and didn't force the library to only do
sslv2, there shouldn't be a problem.


Kurt


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110403112939.GA15954@roeckx.be">http://lists.debian.org/20110403112939.GA15954@roeckx.be
 
Old 04-04-2011, 08:33 PM
Simon Josefsson
 
Default sslv2 and openssl 1.0

If there are any packages that uses SSLv2 by default you might want to
file a security bug to get them fixed. I believe SSLv2 is really that
bad, it just gives a false sense of security.

/Simon


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87mxk5hi3i.fsf@latte.josefsson.org">http://lists.debian.org/87mxk5hi3i.fsf@latte.josefsson.org
 

Thread Tools




All times are GMT. The time now is 08:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org