On Sat, Jun 28, 2014 at 06:34:01PM +0100, Dominyk Tiller wrote: > Hey all, > > I wondered if you all had an opinion on disabling SSLv2 & SSLv3 during > the ./configure process, and what kind of impact that'd have for > end-users and general compatibility when building against an updated > version of OpenSSL.
Debian has been build with no SSLv2 support since 2011. There were a few minor issues solved, but none of them were actually related to talking to other peers. I didn't get any complained about not having SSLv2 support. Last time I check there were still a few sites that only talk SSL v2, but I guess the numbers are so low that they can and should be ignored. Most servers that support SSLv3 also support TLS 1.0. It should probably be doable to disable SSLv3 without much impact. The most recent stats about servers I know about is: https://lists.fedoraproject.org/pipermail/security/2014-April/001810.html But I'm guessing you're more interested in the client side support for TLS 1.0 or higher. I don't have any real numbers about it, but I'm actually less worried about the clients. Anyway, I wouldn't mind seeing a patch that would make it possible to build openssl without SSLv3 support. That doesn't mean it's going to be enabled by default, but it would give people the option to disable it if they want to. If you make such a patch, I might disable SSLv3 support in Debian, but that's unlikely to make it in jessie. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
