X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 5CAEADC010D for ; Wed, 2 Mar 2016 15:59:14 +0000 (UTC) Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id EABC0DC003A for ; Wed, 2 Mar 2016 15:59:12 +0000 (UTC) Received: by mail-wm0-f47.google.com with SMTP id n186so92720417wmn.1 for ; Wed, 02 Mar 2016 07:59:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:date:mime-version; bh=wyzucgrdXCPicVdwl3rVhaj4QUJ6lI2SRW6316syS3w=; b=ba4Mj+EzFdKSV6maMlen9spY5cSZlz4ojndyWLMr46weZWlh1Lo/XZFHrjM85AdZgK VFhXAZCMdGBQ/tsR1ounjUBvVOdy5DoMpdTLNh7LE3XuQvCrq/GZI9XR1eLmD2X4iQQM RJxNHRu9nyBBP98QRIp2S8oS/osT7Y/lqMY1EHTOtEj8M5v7jG3QaqBghRVX+5O0iZW8 PzRb9V1LQrW7+tPxx66lEviWqc0d9KOgT93JtUh1JhFurLgK0l5qyWB4oIYhbm80kKAA N4TZaE5cwlm0hdTpcOaHJ8OiHzBxZ+fRi3am+/3xe9HwDL9d2QlgnhUXh4UiXm7uJqgO M+OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:date:mime-version; bh=wyzucgrdXCPicVdwl3rVhaj4QUJ6lI2SRW6316syS3w=; b=RdSaAWgokIc4/VeLpLbDV1/DT/1JZWM0AgCL3QF8yIPODwYhF22uL1yu03BefeNuOT 5+sEcROkSpLV3LRD8x+KrqMjAZ66CD79Zy/bbY/z5YXvw/rNkHIuiKbKxGxEOgywCRtj Gd3Z6rdJ/kjJ9A7cjEtT0f7FEqrtnJXDQDGEMtBj30V+wKFRDsBvS0vq16nqWKCsWRK6 qIRdI7RP0Dtb1yRaCxQPv/q8XR6JuVkHzF+seBi8GyCaYIUPZ3qS5jWSkmKc2GD+OY+X DZt+AUcHyuQxg8BcTse17wJ+XAq/KRCZ6mZqDGW+1A50YvXqk+Y+MHknSKpfKiXpy2tf wxdQ== X-Gm-Message-State: AD7BkJJVzTOZuQ5GSOvy8eeCqT/lELRDQZOUOKwjcmEaYSG7Lxz6r6cgHC64jwKykuc4iA== X-Received: by 10.194.2.202 with SMTP id 10mr30888206wjw.94.1456934350777; Wed, 02 Mar 2016 07:59:10 -0800 (PST) Received: from [10.44.65.254] ([89.202.239.194]) by smtp.googlemail.com with ESMTPSA id b1sm36415722wjy.0.2016.03.02.07.59.09 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 02 Mar 2016 07:59:09 -0800 (PST) Message-ID: <1456934348.9485.29.camel@df1844j> Subject: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled From: Leonardo Arena To: alpine-devel Date: Wed, 02 Mar 2016 16:59:08 +0100 Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-AGu+6rhvWD2GGVSdHtXe" X-Mailer: Evolution 3.10.4-0ubuntu2 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP --=-AGu+6rhvWD2GGVSdHtXe Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Alpine community, since we got few questions on the latest OpenSSL commit [1], we'd like clarify the reasons for re-enabling SSLv2 and weak ciphers. Essentially we have reverted to the default behavior of OpenSSL 1.0.2f and 1.0.1r. Disabling SSLv2 and weak ciphers breaks ABI compatibility. Please note that even enabling SSLv2 and weak ciphers your application will not use it unless you configure it to do so [2]. We see this as a temporary solution for not breaking current build. We're looking forward to remove SSLv2/weak ciphers support from OpenSSL by rebuilding world against OpenSSL or switching to LibreSSL sooner than later. Thanks - leo [1] http://git.alpinelinux.org/cgit/aports/commit/?id=3Dad476430906e49fc46d2fac= 75a1ffbbe8466ec70 [2] http://openssl.org/news/secadv/20160301.txt: Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. --=-AGu+6rhvWD2GGVSdHtXe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJW1w3MAAoJELAPckZGG2T6pmoIAINgjF1PLRep7LHXlM8dgQS1 AuOJ0sTjt2VOav2DuCdGnCpEtItRCgAWpqOTaoP2tWmfwGXCYmlCCC+hE8FDS/Hu nueTlR2oWHr1fp8oYg5aF83KJacFK7uWzeqdPXk9Vn8ln0bgdgcgQSMbWWQ0JTRt AkV67sb48lnw8WSpAWGIArocp2pKGx5UD6KZoK2lNQIRDPBusC6j4/g8COB9UEn5 lDudBMHR08PY6Z9uot6vgzCXKBBeaXyV1Nl/fIct7g+73dkH5ZLx8X/MGl5o6EYt kZwTB+OkQLYYblfZw09EsujLm1yuU1EcV6YQAyFfImkCTQEaRYkn1Q8PFW6K7Pc= =VZKR -----END PGP SIGNATURE----- --=-AGu+6rhvWD2GGVSdHtXe-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---