View Issue Details
|Kali Package Bug
|Fixed in Version
|0000146: The debian openssl has a --no-sslv2 patch
The Debian version of openssl has a patch which prevents testing of sslv2 web servers
|Steps To Reproduce
Error: invalid arg -ssl2
In order to fix the package needs to be forked and rebuilt with the following 2 fixes
vi debian/patches/series # remove the line "no-ssl2.patch"
This bug report conflicts with http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
Looking into a more elegant solution than removing the patch completely.
Note that the patch no-ssl2.patch has been merged upstream and thus no longer exists in debian/patches/. The configure option is still there though.
Ideally we should find a way to keep SSLv2 support in the lib but it should be disabled for all applications except those that add some special force flags. I don't know enough of the API internals to know whether this suggestion makes sense but we should definitely investigate in that direction to try to avoid the need to fork this package. The reason why SSLv2 has been dropped is that it's considered unsafe and server applications should not offer it as an option. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706
Or maybe we can package something separate that provides a SSLv2 "client", it could even be openssl itself repackaged differently to just provide an "openssl2" program that would bundle the static libraries with SSLv2 support.
We're now shipping a version of sslscan that links statically against libopenssl and can thus scan SSLv2 and SSLv3 even if those are dropped from Debian's openssl.
Are there other programs that really need SSLv2 to work properly? If yes, feel free to reopen this ticket.
|Note Added: 0000151
|new => acknowledged
|Note Added: 0000152
|Note Added: 0002981
|acknowledged => resolved
|Fixed in Version
|open => fixed
|high => normal