Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 577504 - dev-libs/openssl: drop also sslv3 as default
Summary: dev-libs/openssl: drop also sslv3 as default
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-15 20:35 UTC by Ettore Di Giacinto
Modified: 2018-05-05 05:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ettore Di Giacinto gentoo-dev 2016-03-15 20:35:03 UTC
sslv3 it is deprecated and insecure (https://tools.ietf.org/html/rfc7568) why we ship it enabled still? 

Fedora dropped it too: http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.0.2g-disable-sslv2v3.patch

@sabayon we are using this version (https://github.com/Sabayon/for-gentoo/tree/master/dev-libs/openssl) with this patch included, which disables sslv2 and sslv3 as default, due to the sslv2 attack and the recent bump, worth considering for enhance security?
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-03-16 11:10:19 UTC
I think the consensus here was to not remove SSLv3 until openssl-1.1.0 enters the tree. The rationale (among others) was that openssl-1.1.0 will come with a so-version bump so preserved-lib will protect users from immeadiately breaking their systems.
Furthermore many packages will require patches to compile against SSLv3-stripped openssl. I already started finding such packages in my personal overlay (poly-c). Fortunately debian people already did a tremendous job there.
Comment 2 Anthony Basile gentoo-dev 2016-04-12 12:55:44 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> I think the consensus here was to not remove SSLv3 until openssl-1.1.0
> enters the tree. The rationale (among others) was that openssl-1.1.0 will
> come with a so-version bump so preserved-lib will protect users from
> immeadiately breaking their systems.
> Furthermore many packages will require patches to compile against
> SSLv3-stripped openssl. I already started finding such packages in my
> personal overlay (poly-c). Fortunately debian people already did a
> tremendous job there.

FYI, libressl-2.3.x has already dropped SSLv3 but its currently masked in the tree and will be unmasked soon, before openssl-1.1.x  Using it will probably tease out a pkgs that make calls to SSLv3 funcs.
Comment 3 SpanKY gentoo-dev 2016-05-24 20:15:07 UTC
at least with 1.0.2h, there are two sep config options: no-ssl3 (disable ssl3 support at runtime) and no-ssl3-method (drop the symbols from the ABI).

i've added USE=sslv3 that controls the no-ssl3 option to 1.0.2h-r1.  this allows the ABI to stay stable and people disable support for it.  i've left it enabled by default as that is what upstream is doing in this release ...

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c368fb17a68819926e0c7175be13b22c561b037
Comment 4 Michael Orlitzky gentoo-dev 2017-08-18 18:00:33 UTC
I'd like to ask you to reconsider the default value of the "sslv3" flag. The description of that flag is,

  Support for the old/insecure SSLv3 protocol -- note: not
  required for TLS/https

so it looks kinda bad to have it enabled by default.

The hardened team is considering turning off "sslv3" in the profile (bug 628144), which would make it diverge further from the other profiles, and deprive non-hardened users of the associated security benefits. As a counter-offer, I would rather see the remaining packages that set +sslv3 stop doing so.

The same flag was just disabled by default in GnuTLS a moment ago (bug 628198), so OpenSSL is the only remaining package with +sslv3.