On Tue, Jun 28, 2016 at 02:16:38AM +0200, Axel Beckert wrote: > > OpenSSL 1.0.2h in Debian Sid is compiled with SSLv2_client_method enabled > > and SSLv3_client_method disabled. Is it a configuration error? Why would > > anyone want to enable SSL2 and disable SSL3? I suppose that the older > > protocols should be disabled and newer protocols enabled. > > No idea, Cc'ing Debian's OpenSSL team. They probably can tell.
It got enabled by accident again. It used to be disabled (using no-ssl2), but then upstream we decided to disable SSLv2 by default and this broke lots of other distributions that didn't expect those symbols to go away. So instead we split no-ssl2 in 2 parts no-ssl2 and no-ssl2-method (like in the case of ssl3), and have the SSLv2 methods return NUL by default instead. But then in the next uploads (both stable and unstable) I actually forgot to add no-ssl2-method to the config call so those methods exist again, peopl call it again, and I can't remove them without an other soname change. Kurt
