Openssl Update
Laurent Blume
laurent at opencsw.org
Thu Mar 17 11:01:14 CET 2016
Le 2016/03/17 09:19 +0100, Jan Holzhueter a écrit:
> well it broke ABI. Which kind of sucks too.
> http://ptribble.blogspot.de/2016/03/moving-goalposts-with-openssl.html
What's pathetic is that distro makers are now whining that they are
forced to get their fingers out of their collective asses, because,
boo-hoo, the defaults have changed. Whereas not so long ago, people were
whining that OpenSSL sucked because, boo-hoo, its defaults never changed.
After checking my calendar again, yep, it's 2016. OpenSSL have been
saying for at least 2 years that SSLv2 should have been disabled! It's
not NEWS that SSLv2 is broken! So WHY was it kept enabled? Because it's
just easier to use defaults, so then they can reject responsibility to
somebody else?
«OpenSSL has been around a long time, and it carries around a lot of
cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is
completely broken, and you should disable it during configuration. You
can disable protocols and provide other options through Configure and
config, and the following lists some of them.»
https://wiki.openssl.org/index.php/Compilation_and_Installation
So, here's a thought: stop assuming that OpenSSL, a project that's been
underfunded until it got in the news, will magically deal with
every.issue with old protocols. Packagers should their brains: if they
don't have a compelling reason to keep an old crufty protocol, why is it
enabled?
Laurent
More information about the users
mailing list