On Mon, 21 Jul 2008 06:58:41 +0200 Ante Karamatic <[EMAIL PROTECTED]> wrote: >Hello > >I've been working on: > >https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2 > >Two of our SSL libraries have SSLv2 disabled (or non-existing) by >default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used >at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in >OpenSSL too. And I think everybody would prefer that over changing >configuration for each package. I realize that this might be a huge >change and maybe should be done in Debian, but the impact should be >minimal (if any). > >Are there any packages/programs that anyone is aware of that still >don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3 >was released)? > >How about 3th party clients? For those cases, sysadmins would prefer >configuration option in packages. > >I'll continue working on configuration patches of services, but still >would like to hear opinions on this subject.
V2 should not be considered cryptographically secure as I understand it. If anything breaks, better to break it now than deal with security uploads after release. Scott K -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
