On Mon, 2010-07-19 at 14:12 -0700, Kees Cook wrote: > In 2008 there was discussion[1] about disabling SSLv2 in OpenSSL. The > conclusion seemed favorable for it, and so it was attempted[2] in openssl > 0.9.8g-10.1ubuntu2 for Intrepid. > > Unfortunately, this change seems to have had no affect on the build, and > SSLv2 has remained available. I would like to propose fixing this for real > now, and documenting the change in the SSL man pages. > > I'd like to point out that even as far back as Dapper, GnuTLS has not > supported SSLv2; IMO, it is high time to make it go away for OpenSSL too. > > The attached debdiff would disallow the use of SSLv2 in any mode without > wrecking the openssl library ABI. >
Yes please, make it go away. People who are configuring mod_ssl with openssl the wrong way, always have problems when a security audit comes along. SSLv2 is deprecated and should never be used in any scenario. Regards, \sh -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
