FS#39793 - [openssl] Build with no-ssl2 option
Attached to Project:
Arch Linux
Opened by wes (Nisstyre56) - Wednesday, 09 April 2014, 18:11 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 23:46 GMT
Opened by wes (Nisstyre56) - Wednesday, 09 April 2014, 18:11 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 23:46 GMT
|
Details
Description: OpenSSL should be built with the no-ssl2 option
by default. SSL v2 is considered highly insecure.
See: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0 Various tools such as SLLLabs will warn if it is allowed by https servers, for example. There is no conceivable reason to support it other than having to support ancient web browsers or other very old pieces of software. The fix is simply to add the no-ssl2 option to the openssl PKGBUILD. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Sunday, 06 March 2016, 23:46 GMT
Reason for closing: Implemented
Additional comments about closing: openssl 1.0.2.g-3
Sunday, 06 March 2016, 23:46 GMT
Reason for closing: Implemented
Additional comments about closing: openssl 1.0.2.g-3
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
I tried openssl without ssl2 support, compiles/runs fine, thanks for the suggestion, although qt-4.8.6 (maybe KDE4 too) seems to completely dislike it somehow.
It's not so easy to cut the ropes just now,...
- dropped SSL2 in December 2010
- dropped zlib in December 2013
- dropped SSL3 in November 2014
And now there's https://tools.ietf.org/html/rfc7568 of course.
Maybe this will also (finally) fix all those non-mainstream browsers in our repos with their horrendous cipher preferences...