View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000146Kali LinuxKali Package Bugpublic2013-03-19 19:422020-12-01 10:48
Reporterpurehate Assigned Torhertzog  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version1.1.0 
Summary0000146: The debian openssl has a --no-sslv2 patch
Description

The Debian version of openssl has a patch which prevents testing of sslv2 web servers

Steps To Reproduce

root@kali:~# openssl
OpenSSL> s_client -connect www.<insertserver>.com:443 -ssl2

Error: invalid arg -ssl2

In order to fix the package needs to be forked and rebuilt with the following 2 fixes

vi debian/patches/series # remove the line "no-ssl2.patch"
vi debian/rules # remove the arg that says no-ssl2

Activities

muts

muts

2013-03-20 11:24

reporter   ~0000151

This bug report conflicts with http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

Looking into a more elegant solution than removing the patch completely.
rhertzog

rhertzog

2013-03-20 11:34

administrator   ~0000152

Note that the patch no-ssl2.patch has been merged upstream and thus no longer exists in debian/patches/. The configure option is still there though.

Ideally we should find a way to keep SSLv2 support in the lib but it should be disabled for all applications except those that add some special force flags. I don't know enough of the API internals to know whether this suggestion makes sense but we should definitely investigate in that direction to try to avoid the need to fork this package. The reason why SSLv2 has been dropped is that it's considered unsafe and server applications should not offer it as an option. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

Or maybe we can package something separate that provides a SSLv2 "client", it could even be openssl itself repackaged differently to just provide an "openssl2" program that would bundle the static libraries with SSLv2 support.
rhertzog

rhertzog

2015-01-29 19:22

administrator   ~0002981

We're now shipping a version of sslscan that links statically against libopenssl and can thus scan SSLv2 and SSLv3 even if those are dropped from Debian's openssl.

Are there other programs that really need SSLv2 to work properly? If yes, feel free to reopen this ticket.

Issue History

Date Modified Username Field Change
2013-03-19 19:42 purehate New Issue
2013-03-20 11:24 muts Note Added: 0000151
2013-03-20 11:24 muts Status new => acknowledged
2013-03-20 11:34 rhertzog Note Added: 0000152
2015-01-29 19:22 rhertzog Note Added: 0002981
2015-01-29 19:22 rhertzog Status acknowledged => resolved
2015-01-29 19:22 rhertzog Fixed in Version => 1.1.0
2015-01-29 19:22 rhertzog Resolution open => fixed
2015-01-29 19:22 rhertzog Assigned To => rhertzog
2020-12-01 10:48 g0tmi1k Priority high => normal