[Pkg-openssl-devel] embedding openssl source in sslcan

Kurt Roeckx kurt at roeckx.be
Sun Jan 1 16:49:35 UTC 2017 

On Sun, Jan 01, 2017 at 04:37:48PM +0100, Raphael Hertzog wrote:
> On Sat, 31 Dec 2016, Julien Cristau wrote:
> > On Thu, Dec 22, 2016 at 13:37:11 +0100, Sebastian Andrzej Siewior wrote:
> > 
> > > tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
> > > source?
> > > 
> > > sslscan [0] as packaged in Debian currently relies on external libssl as
> > > provided by the openssl package. The openssl package disables support
> > > compression, SSLv2 and SSLv3 which is good but it also means that
> > > sslscan can not detect a SSL implementation that is still providing
> > > support for one of these deprecated protocols or compression.
> > > One could say that it is not required to test for SSLv2 because if
> > > libssl does not support it then it is not possible for an application to
> > > offer it. However libssl is not the only SSL toolkit in Debian and one
> > > might need to scan a non-Debian / older machine.
> > > 
> > Is this really something we need to be shipping?  If yes, I'd personally
> > really like this to get an explicit exemption from normal policy by the
> > security team, so please talk to them (debian-security at ldo is not it).
> 
> "need" is somewhat hard to define, but to give an additional data point,
> it's one of the things that we do in Kali to make it more useful for
> security professionals so it would be nice if it we could do it in Debian
> as well.
> 
> That said sslscan is not the only tool where it could be useful and
> packaging an alternate openssl-insecure should be considered too if it's
> feasible (at least so that we can have alternative versions of the openssl
> command line tools that can continue to support SSL2 and SSL3).

Note that SSLv2 has been completly removed in the 1.1 version, so
you'll never have 1 openssl version that supports both SSLv2 and
TLS 1.3. I think one of the other issues they run into is that
OpenSSL no longer can send a ClientHello without any extensions,
so they can't tests for extenstion tolerances.

I think in the long run, those applications should consider using
an other implementation of SSL/TLS, or write enough of if to be
able to do the tests that they want. And I think there are already
such other programs out there that can do that.


Kurt

More information about the Pkg-openssl-devel mailing list