On Mon, Jul 21, 2008 at 09:28:37AM -0700, Kees Cook wrote: > On Sun, Jul 20, 2008 at 11:45:22PM -0700, Steve Langasek wrote: > > On Mon, Jul 21, 2008 at 06:58:41AM +0200, Ante Karamatic wrote: > > > at all, the easiest way to remove SSLv2 from Ubuntu is to disable it in > > > OpenSSL too. And I think everybody would prefer that over changing > > > configuration for each package. I realize that this might be a huge > > > change and maybe should be done in Debian, but the impact should be > > > minimal (if any).
> > > Are there any packages/programs that anyone is aware of that still > > > don't use SSLv3 or TLS, but only SSLv2 (it's been a decade since SSLv3 > > > was released)? > > There is a bug in the Debian BTS about OpenLDAP+gnutls failing to connect to > > an IBM LDAP product, presumed to be because gnutls doesn't support SSLv2: > > <http://bugs.debian.org/466477> > > Given that the OpenLDAP packages are already /not/ using OpenSSL this > > doesn't apply directly, but there might be other examples of such things in > > the wild that users need to be able to maintain compatibility with. > If we consider such things to be a corner-cases, I would say that > disabling SSLv2 in openssl makes sense -- we should provide a safe set > of crypto function by default. How will users who need SSLv2 support re-enable it? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
