Ian G wrote: > FreeBSD Security Advisories wrote: >> Applications which do not support SSLv2, have been configured to not >> permit the use of SSLv2, or do not use the SSL_OP_MSIE_SSLV2_RSA_PADDING >> or SSL_OP_ALL options are not affected. >> >> IV. Workaround >> >> No workaround is available. > > Isn't the workaround obviously to switch off V2?
Disabling applications to not permit use of SSLv2 is a workaround. However, this is something which needs to be done on an application-by-application basis, and it is likely that there will be some applications will do not have any option for doing this. > In the phishing world - where users are being > exposed to losses in the billion dollar range > or so - we are crying out for the removal of v2. > Can this be done? SSL is supposed to negotiate the use of SSLv3 if it is supported by both the client and the server, so I don't see why disabling SSLv2 entirely would be useful aside from protecting against this vulnerability. Colin Percival _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
