On Mon, 21 Jul 2008 09:42:40 -0700 Nick Barcet <[EMAIL PROTECTED]> wrote:
> While I fully agree about this on the principle, I would disagree if > the method was to disable this at compile time in OpenSSL. I would > consider a conf file modification acceptable for the corner cases, > not a recompile. I am not sure which method was suggested by Ante to > do the change, though. I would prefer disabling SSLv2 in OpenSSL at compile time, cause disabling SSLv2 in services isn't very easy with so strict packaging :) And, disabling it in openssl would solve the problem everywhere. I'm not convinced that we should try keeping up with old or buggy clients which don't support TLS1 or SSLv3. Until we decide on this, I'll continue patching packages in such a way that upgrades wouldn't change anything (SSLv2 would still be enabled), but new installs would have SSLv2 disabled (with an option to enable it; explained in README.Debian). There will be cases, like vsftpd, where this won't be possible, and SSLv2 will be disabled by default (even on upgrades). Disabling SSLv2 on upgrades on all packages would make this job *a lot* easier. In case I don't attend the meeting tomorrow, my patches will be available at http://www.grad.hr/~ivoks/ubuntu. -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
