628198 – net-libs/gnutls: consider disabling sslv3 by default

Bug 628198 - net-libs/gnutls: consider disabling sslv3 by default

Summary: net-libs/gnutls: consider disabling sslv3 by default

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Crypto team [DISABLED]

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-18 16:17 UTC by Michael Orlitzky
Modified:	2017-08-18 17:41 UTC (History)
CC List:	2 users (show)

See Also:	628144
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-08-18 16:17:01 UTC

The "sslv3" USE flag has the following description,

  Support for the old/insecure SSLv3 protocol

but it's enabled by default (+sslv3 in IUSE). It looks kind of bad to have an "insecure" flag enabled by default =)

The hardened team are considering adding USE="-sslv2 -sslv3" to the hardened profile, but before they do, I'd like to ask if there's a good reason to leave it enabled in gnutls. If sslv3 can be turned off in gnutls and openssl by default, then we won't have to make the hardened profile diverge any further (and the other profiles will receive the desired benefits).

Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev

2017-08-18 17:41:35 UTC

I thought of this many times, and decided to wait for a change in the entire tree. Sounds reasonable to do this now.