[Pkg-openssl-devel] Bug#683158: Bug#683158: several openssl commands claim ssl2 is supported
Kurt Roeckx
kurt at roeckx.be
Wed Mar 2 09:55:37 UTC 2016
On Wed, Mar 02, 2016 at 10:01:23AM +0100, Sven Neuhaus wrote:
> Bug #589706 removed support for the "-ssl2" option but did not update
> the documentation of the builtin help.
>
> Due to the DROWN attack there is a renewed interest in the -ssl2 option
> to make sure your servers aren't vulnerable.
>
> I'd argue the option should be enabled again to allow for testing.
There is no way I'm going to enable anything related to SSLv2. If
I add SSLv2 support again to something like s_client it would mean
that the library needs to support SSLv2 again and that people can
actually go and enable it in applications.
Also, s_client can't find issues like CVE-2015-3197. If you want
something to test for it, there are actually several tools
available for it.
Kurt
More information about the Pkg-openssl-devel
mailing list