Bug 577504

Summary:	dev-libs/openssl: drop also sslv3 as default
Product:	Gentoo Linux	Reporter:	Ettore Di Giacinto (RETIRED) <mudler>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	gentoo-bugs-augustin, itumaykin+gentoo, mudler
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=628144
Whiteboard:
Package list:		Runtime testing required:	---

Description Ettore Di Giacinto (RETIRED) gentoo-dev

2016-03-15 20:35:03 UTC

sslv3 it is deprecated and insecure (https://tools.ietf.org/html/rfc7568) why we ship it enabled still? 

Fedora dropped it too: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.0.2g-disable-sslv2v3.patch

@sabayon we are using this version (https://github.com/Sabayon/for-gentoo/tree/master/dev-libs/openssl) with this patch included, which disables sslv2 and sslv3 as default, due to the sslv2 attack and the recent bump, worth considering for enhance security?

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-03-16 11:10:19 UTC

I think the consensus here was to not remove SSLv3 until openssl-1.1.0 enters the tree. The rationale (among others) was that openssl-1.1.0 will come with a so-version bump so preserved-lib will protect users from immeadiately breaking their systems.
Furthermore many packages will require patches to compile against SSLv3-stripped openssl. I already started finding such packages in my personal overlay (poly-c). Fortunately debian people already did a tremendous job there.

Comment 2 Anthony Basile gentoo-dev

2016-04-12 12:55:44 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #1)
> I think the consensus here was to not remove SSLv3 until openssl-1.1.0
> enters the tree. The rationale (among others) was that openssl-1.1.0 will
> come with a so-version bump so preserved-lib will protect users from
> immeadiately breaking their systems.
> Furthermore many packages will require patches to compile against
> SSLv3-stripped openssl. I already started finding such packages in my
> personal overlay (poly-c). Fortunately debian people already did a
> tremendous job there.

FYI, libressl-2.3.x has already dropped SSLv3 but its currently masked in the tree and will be unmasked soon, before openssl-1.1.x  Using it will probably tease out a pkgs that make calls to SSLv3 funcs.

Comment 3 SpanKY gentoo-dev

2016-05-24 20:15:07 UTC

at least with 1.0.2h, there are two sep config options: no-ssl3 (disable ssl3 support at runtime) and no-ssl3-method (drop the symbols from the ABI).

i've added USE=sslv3 that controls the no-ssl3 option to 1.0.2h-r1.  this allows the ABI to stay stable and people disable support for it.  i've left it enabled by default as that is what upstream is doing in this release ...

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c368fb17a68819926e0c7175be13b22c561b037

Comment 4 Michael Orlitzky gentoo-dev

2017-08-18 18:00:33 UTC

I'd like to ask you to reconsider the default value of the "sslv3" flag. The description of that flag is,

  Support for the old/insecure SSLv3 protocol -- note: not
  required for TLS/https

so it looks kinda bad to have it enabled by default.

The hardened team is considering turning off "sslv3" in the profile (bug 628144), which would make it diverge further from the other profiles, and deprive non-hardened users of the associated security benefits. As a counter-offer, I would rather see the remaining packages that set +sslv3 stop doing so.

The same flag was just disabled by default in GnuTLS a moment ago (bug 628198), so OpenSSL is the only remaining package with +sslv3.

Comment 5 Sam James archtester

2023-06-29 10:43:05 UTC

This has been done for us in OpenSSL 3.