Bug#803259: support for deprecated openssl features
Stefan Bühler
stbuehler at web.de
Thu May 18 13:49:34 UTC 2017
Hi,
I think a separate openssl-insecure package with an (possibly statically
linked) "/usr/bin/openssl-insecure" binary should be safe enough that
people don't "accidentally" use it.
If you would want to really make sure it isn't abused you'd put it
somewhere in /usr/lib/openssl-insecure/.
Building it from the same source as the standard openssl binary is the
higher risk in my opinion: what if some of the insecure build options
suddenly get applied to the main build?
Also upstream might remove some of the deprecated/broken features from
the code completely, in which case testssl.sh probably needs to learn to
use multiple binaries.
JFYI: I think the testssl.sh upstream openssl binary also has some other
patches, e.g. enabling IPv6.
cheers,
Stefan
More information about the Pkg-security-team
mailing list