FS#39793 : [openssl] Build with no-ssl2 option

FS#39793 - [openssl] Build with no-ssl2 option

Attached to Project: Arch Linux
Opened by wes (Nisstyre56) - Wednesday, 09 April 2014, 18:11 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 23:46 GMT

Task Type	Feature Request
Category	Packages: Core
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	10 Jeremy M. (jskier) (2016-03-04) Rafael Reggiani Manzo (manzo) (2016-03-02) Jens Adam (byte) (2015-06-22) Sapalot (superfranky) (2015-05-17) Levente Polyak (anthraxx) (2015-03-19) Martin Weinelt (mweinelt) (2015-01-08) A. K. (Misery) (2014-11-07) zless (roentgen) (2014-04-30) Noel Kuntze (thermi) (2014-04-17) cupcake (muffins) (2014-04-16)
Private	No

Details

Description: OpenSSL should be built with the no-ssl2 option by default. SSL v2 is considered highly insecure.

See: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0

Various tools such as SLLLabs will warn if it is allowed by https servers, for example. There is no conceivable reason to support it other than having to support ancient web browsers or other very old pieces of software.

The fix is simply to add the no-ssl2 option to the openssl PKGBUILD.

This task depends upon

Closed by Doug Newgard (Scimmia)
Sunday, 06 March 2016, 23:46 GMT
Reason for closing: Implemented
Additional comments about closing: openssl 1.0.2.g-3

Comment by cupcake (muffins) - Friday, 25 April 2014, 14:55 GMT

Debian dropped SSLv2 in 2010

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

Comment by Sapalot (superfranky) - Tuesday, 06 May 2014, 23:01 GMT

Well, agreed, openssl is quite a mess, until libressl is ready enough to replace it.

I tried openssl without ssl2 support, compiles/runs fine, thanks for the suggestion, although qt-4.8.6 (maybe KDE4 too) seems to completely dislike it somehow.

It's not so easy to cut the ropes just now,...

Comment by t-ask (tAsk) - Thursday, 08 May 2014, 17:52 GMT

Maybe, it's just the right time to cut the ropes while Heardbleed is still in our heads.

Comment by A. K. (Misery) - Friday, 07 November 2014, 11:22 GMT

no-ssl3 should be added, too.

Comment by Jens Adam (byte) - Friday, 10 July 2015, 15:57 GMT

Take a look at Debian: https://anonscm.debian.org/viewvc/pkg-openssl/openssl/trunk/debian/rules?revision=728&view=markup#l29
- dropped SSL2 in December 2010
- dropped zlib in December 2013
- dropped SSL3 in November 2014

And now there's https://tools.ietf.org/html/rfc7568 of course.

Maybe this will also (finally) fix all those non-mainstream browsers in our repos with their horrendous cipher preferences...

Comment by Pierre Schmitz (Pierre) - Friday, 10 July 2015, 16:14 GMT

We should look into this, right. The last time I tried this I needed to recompile everything that depended on openssl though.

Comment by Rob Hoelz (hoelzro) - Wednesday, 02 March 2016, 15:55 GMT

I stumbled across this issue looking for issues pertaining to openssl-1.0.2g; since no-ssl2 is the default as of 1.0.2g, is this issue redundant?

Comment by Levente Polyak (anthraxx) - Thursday, 03 March 2016, 00:56 GMT

yes, we are currently doing a major rebuild with both, no-ssl2 and no-ssl3 that should be done in the following days.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#39793 - [openssl] Build with no-ssl2 option

Details

Loading...