[Pkg-ace-devel] SSLv2
Pau Garcia i Quiles
pgquiles at elpauer.org
Mon Apr 25 08:00:12 UTC 2011
>> Now for the bad part: Wheezy includes OpenSSL 1.0.0, which disables
>> SSLv2. The consequence is ACE fails to build from source.
>
> I guess this is #622074 [1]
It is, I had not noticed there was a bug against ACE.
>> Given that ACE already supports SSLv2, I am now looking into disabling
>> the SSLv2 code in ACE 6.0.2 to get it to build on Wheezy. Johnny, do
>> you have any plans on this matter?
>
> Does this completely disable ACE SSL?
No, it does not. It only disables SSLv2. ACE has support for SSLv2,
SSLv3 and TLSv1.
I am not sure how to disable it:
a) Keep the SSLv2 entries in the enumerations but make them actually use SSLv3.
This is what I did yesterday but after doing it I am not sure it's the
best choice.
It has the advantage if the application uses Debian on both sides,
there is no need for changes in the application. On the other hand, it
may lead to very weird to debug situations if you are connecting to an
SSLv2-only service that is not using Debian on the other side ("hey,
I'm telling it to use SSLv2 yet it fails", yeah, it's because ACE
SSLv2 is actually ACE SSLv3).
b) Completely remove SSLv2
Meaning: including removal from the enumerations, but keeping the
blanks for the former SSLv2 values (to avoid renumerating the
enumerations).
Advantage: it makes explicit SSLv2 is no longer supported.
Disadvantage: I need to check what happens with SSLv23 calls, I can't
remember if the code is easy transformable to SSLv3 calls
I think this is the best choice.
c) Just disable SSLv2
Meaning: keep the enumerations, keep the methods, but instead of
making the calls to OpenSSL, fail. IMHO we should completely discard
this.
> Pau, I think we should do 6.0.1-2 for this RC bug, then 6.0.2-1. What's
> your opinion?
Sure, let's do 6.0.1-2 for the git migration + OpenSSL 1.0.0d
migration, then 6.0.2-1. I'd like to fix 599549 and maybe some others
in 6.0.2-1.
I'll work on 622074 today, maybe tomorrow if Mona (
http://fr.wikipedia.org/wiki/Mona_de_Pascua#Coutumes_et_traditions )
takes longer than expected :-)
--
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)
More information about the Pkg-ace-devel
mailing list