Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628198

Summary: net-libs/gnutls: consider disabling sslv3 by default
Product: Gentoo Linux Reporter: Michael Orlitzky <mjo>
Component: Current packagesAssignee: Crypto team [DISABLED] <crypto+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, fturco
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=628144
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-08-18 16:17:01 UTC 
The "sslv3" USE flag has the following description,

  Support for the old/insecure SSLv3 protocol

but it's enabled by default (+sslv3 in IUSE). It looks kind of bad to have an "insecure" flag enabled by default =)

The hardened team are considering adding USE="-sslv2 -sslv3" to the hardened profile, but before they do, I'd like to ask if there's a good reason to leave it enabled in gnutls. If sslv3 can be turned off in gnutls and openssl by default, then we won't have to make the hardened profile diverge any further (and the other profiles will receive the desired benefits).
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2017-08-18 17:41:35 UTC 
I thought of this many times, and decided to wait for a change in the entire tree. Sounds reasonable to do this now.