Hi Alpine community,
since we got few questions on the latest OpenSSL commit [1], we'd like
clarify the reasons for re-enabling SSLv2 and weak ciphers.
Essentially we have reverted to the default behavior of OpenSSL 1.0.2f
and 1.0.1r. Disabling SSLv2 and weak ciphers breaks ABI compatibility.
Please note that even enabling SSLv2 and weak ciphers your application
will not use it unless you configure it to do so [2].
We see this as a temporary solution for not breaking current build.
We're looking forward to remove SSLv2/weak ciphers support from OpenSSL
by rebuilding world against OpenSSL or switching to LibreSSL sooner than
later.
Thanks
- leo
[1]
http://git.alpinelinux.org/cgit/aports/commit/?id=ad476430906e49fc46d2fac75a1ffbbe8466ec70
[2] http://openssl.org/news/secadv/20160301.txt:
Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client or
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.