openssl, SSL2, KDE

Adam Osuchowski adwol at zonk.pl
Sat Mar 5 14:52:52 CET 2016


Elan Ruusamäe wrote:
> i don't know, doesn't that make openssl version vulnerable to DROWN attack?

If I understood security advisory correctly (http://openssl.org/news/secadv/20160301.txt),
there should be no problems with 1.0.2g unless client/server uses SSLv2
or SSLv2 ciphersuites (that are deprecated, anyway).

> should we now build with sslv2 version enabled again? (it will be so after 
> your 2a82d451c777176ff64a6ba685f6daa046967f07)
> or disable the bcond as most of the tree soon rebuilt without sslv2 symbols?

I personally need SSLv2/SSLv3 support mainly for testing purposes.
I don't use SSLv2/SSLv3 in production environments but there are real
needs to own SSLv2/SSLv3 client/server and use it from time to time.

Alternative solution is to produce separate openssl package
(e.g. openssl-ssl23) with other filenames and sonames. Maybe it is
feasible, easily.

On the other hand, if client/server has disabled depracated SSL versions
explicity, everything should be ok (until next openssl bug...).


More information about the pld-devel-en mailing list