On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote: > I've been working on:
> https://blueprints.edge.launchpad.net/ubuntu/+spec/migrate-off-ssl-v2 > Two of our SSL libraries have SSLv2 disabled (or non-existing) by > default - GnuTLS and NSS. Since SSLv2 is archaic and shouldn't be used > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in > OpenSSL too. And I think everybody would prefer that over changing > configuration for each package. I realize that this might be a huge > change and maybe should be done in Debian, but the impact should be > minimal (if any). > Are there any packages/programs that anyone is aware of that still > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3 > was released)? There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2: <http://bugs.debian.org/466477> Given that the OpenLDAP packages are already /not/ using OpenSSL this doesn't apply directly, but there might be other examples of such things in the wild that users need to be able to maintain compatibility with. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
