Hello I've been working on:
https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2 Two of our SSL libraries have SSLv2 disabled (or non-existing) by default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in OpenSSL too. And I think everybody would prefer that over changing configuration for each package. I realize that this might be a huge change and maybe should be done in Debian, but the impact should be minimal (if any). Are there any packages/programs that anyone is aware of that still don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3 was released)? How about 3th party clients? For those cases, sysadmins would prefer configuration option in packages. I'll continue working on configuration patches of services, but still would like to hear opinions on this subject. Thanks -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
