On Sun, Jan 01, 2017 at 04:37:48PM +0100, Raphael Hertzog wrote: > On Sat, 31 Dec 2016, Julien Cristau wrote: > > On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote: > > > > > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its > > > source? > > > > > > sslscan [0] as packaged in Debian currently relies on external libssl as > > > provided by the openssl package. The openssl package disables support > > > compression, SSLv2 and SSLv3 which is good but it also means that > > > sslscan can not detect a SSL implementation that is still providing > > > support for one of these deprecated protocols or compression. > > > One could say that it is not required to test for SSLv2 because if > > > libssl does not support it then it is not possible for an application to > > > offer it. However libssl is not the only SSL toolkit in Debian and one > > > might need to scan a non-Debian / older machine. > > > > > Is this really something we need to be shipping? If yes, I'd personally > > really like this to get an explicit exemption from normal policy by the > > security team, so please talk to them (debian-security@ldo is not it). > > "need" is somewhat hard to define, but to give an additional data point, > it's one of the things that we do in Kali to make it more useful for > security professionals so it would be nice if it we could do it in Debian > as well. > > That said sslscan is not the only tool where it could be useful and > packaging an alternate openssl-insecure should be considered too if it's > feasible (at least so that we can have alternative versions of the openssl > command line tools that can continue to support SSL2 and SSL3).
Note that SSLv2 has been completly removed in the 1.1 version, so you'll never have 1 openssl version that supports both SSLv2 and TLS 1.3. I think one of the other issues they run into is that OpenSSL no longer can send a ClientHello without any extensions, so they can't tests for extenstion tolerances. I think in the long run, those applications should consider using an other implementation of SSL/TLS, or write enough of if to be able to do the tests that they want. And I think there are already such other programs out there that can do that. Kurt
