Hi, On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote: > On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote: > > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in > > OpenSSL too. And I think everybody would prefer that over changing > > configuration for each package. I realize that this might be a huge > > change and maybe should be done in Debian, but the impact should be > > minimal (if any). > > > Are there any packages/programs that anyone is aware of that still > > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3 > > was released)? > > There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to > an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2: > <http://bugs.debian.org/466477> > > Given that the OpenLDAP packages are already /not/ using OpenSSL this > doesn't apply directly, but there might be other examples of such things in > the wild that users need to be able to maintain compatibility with.
If we consider such things to be a corner-cases, I would say that disabling SSLv2 in openssl makes sense -- we should provide a safe set of crypto function by default. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
