On Saturday, April 02, 2011 08:52:17 PM Jérémy Lal wrote: > Hi, > > openssl 1.0.0-d is in unstable and by default disables > sslv2 methods, so what's the correct decision to make, regarding > packages that use ssl as client or server : > > 1) patch package to disable code that use sslv2, and explain > why in README.Debian. > People might complain about old sslv2 clients in case the > packaged software is a server (telepathy-*, web servers) > > 2) continue using sslv2 until upstream drops it > (using some unknown flag to enable it at build time) > > In the case that concerns me, it's easy to do 1), but i believe > it's up to the users to choose, so i'd rather do 2). > However, i know how to disable it with -DOPENSSL_NO_SSL2, > but not how to enable it. > > Jérémy Lal
I think that given RFC 6176, disabling it is the right thing to do. It's ancient, obsolete and cryptographically insecure. Let it die. Also now, at the start of a development cycle is the best time to being doing it anyway. Scott K -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201104022223.32345.deb...@kitterman.com
