Hi, I think a separate openssl-insecure package with an (possibly statically linked) "/usr/bin/openssl-insecure" binary should be safe enough that people don't "accidentally" use it.
If you would want to really make sure it isn't abused you'd put it somewhere in /usr/lib/openssl-insecure/. Building it from the same source as the standard openssl binary is the higher risk in my opinion: what if some of the insecure build options suddenly get applied to the main build? Also upstream might remove some of the deprecated/broken features from the code completely, in which case testssl.sh probably needs to learn to use multiple binaries. JFYI: I think the testssl.sh upstream openssl binary also has some other patches, e.g. enabling IPv6. cheers, Stefan
