openssl, SSL2, KDE

Elan Ruusamäe glen at pld-linux.org
Sat Mar 5 14:14:11 CET 2016


On 05.03.2016 15:07, Adam Osuchowski wrote:
> Elan Ruusamäe wrote:
>> due nature of the change of recent openssl (removing symbol) and upstream
>> not tracking this in SONAME it is impossible to know what got broken
> Maybe it's better to force enabling SSLv2 support than bump releases of
> indefinite number of other packages.
>
> It was rather unlikely that upstream developers dropped binary backward
> compatibility in minor fix release.
>
>  From CHANGES:
>
>    * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
>      is by default disabled at build-time.  Builds that are not configured with
>      "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
>      users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
>      will need to explicitly call either of:
>
> I've just commited fix to sslv2 bcond (and sslv3, for the future).
> Works for me.

i don't know, doesn't that make openssl version vulnerable to DROWN attack?

should we now build with sslv2 version enabled again? (it will be so 
after your 2a82d451c777176ff64a6ba685f6daa046967f07)
or disable the bcond as most of the tree soon rebuilt without sslv2 symbols?

-- 
glen



More information about the pld-devel-en mailing list