"Kees Cook" <[email protected]> wrote:
>In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The >conclusion seemed favorable for it, and so it was attempted[2] in openssl >0.9.8g-10.1ubuntu2 for Intrepid. > >Unfortunately, this change seems to have had no affect on the build, and >SSLv2 has remained available. I would like to propose fixing this for real >now, and documenting the change in the SSL man pages. > >I'd like to point out that even as far back as Dapper, GnuTLS has not >supported SSLv2; IMO, it is high time to make it go away for OpenSSL too. > >The attached debdiff would disallow the use of SSLv2 in any mode without >wrecking the openssl library ABI. > >Thoughts? > >-Kees > >[1] https://lists.ubuntu.com/archives/ubuntu-server/2008-July/001976.html Yes. Please. Make it die. Scott K -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
