sslv3 it is deprecated and insecure (https://tools.ietf.org/html/rfc7568) why we ship it enabled still?
Fedora dropped it too: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.0.2g-disable-sslv2v3.patch
@sabayon we are using this version (https://github.com/Sabayon/for-gentoo/tree/master/dev-libs/openssl) with this patch included, which disables sslv2 and sslv3 as default, due to the sslv2 attack and the recent bump, worth considering for enhance security?
I think the consensus here was to not remove SSLv3 until openssl-1.1.0 enters the tree. The rationale (among others) was that openssl-1.1.0 will come with a so-version bump so preserved-lib will protect users from immeadiately breaking their systems.
Furthermore many packages will require patches to compile against SSLv3-stripped openssl. I already started finding such packages in my personal overlay (poly-c). Fortunately debian people already did a tremendous job there.
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> I think the consensus here was to not remove SSLv3 until openssl-1.1.0
> enters the tree. The rationale (among others) was that openssl-1.1.0 will
> come with a so-version bump so preserved-lib will protect users from
> immeadiately breaking their systems.
> Furthermore many packages will require patches to compile against
> SSLv3-stripped openssl. I already started finding such packages in my
> personal overlay (poly-c). Fortunately debian people already did a
> tremendous job there.
FYI, libressl-2.3.x has already dropped SSLv3 but its currently masked in the tree and will be unmasked soon, before openssl-1.1.x Using it will probably tease out a pkgs that make calls to SSLv3 funcs.
at least with 1.0.2h, there are two sep config options: no-ssl3 (disable ssl3 support at runtime) and no-ssl3-method (drop the symbols from the ABI).
i've added USE=sslv3 that controls the no-ssl3 option to 1.0.2h-r1. this allows the ABI to stay stable and people disable support for it. i've left it enabled by default as that is what upstream is doing in this release ...
I'd like to ask you to reconsider the default value of the "sslv3" flag. The description of that flag is,
Support for the old/insecure SSLv3 protocol -- note: not
required for TLS/https
so it looks kinda bad to have it enabled by default.
The hardened team is considering turning off "sslv3" in the profile (bug 628144), which would make it diverge further from the other profiles, and deprive non-hardened users of the associated security benefits. As a counter-offer, I would rather see the remaining packages that set +sslv3 stop doing so.
The same flag was just disabled by default in GnuTLS a moment ago (bug 628198), so OpenSSL is the only remaining package with +sslv3.