2017-07-27 18:42 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0000146Kali Linux[All Projects] Kali Package Bugpublic2017-02-01 14:14
Reporterpurehate 
Assigned Torhertzog 
PriorityhighSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
Product Version 
Target VersionFixed in Version1.1.0 
Summary0000146: The debian openssl has a --no-sslv2 patch
DescriptionThe Debian version of openssl has a patch which prevents testing of sslv2 web servers
Steps To Reproduceroot@kali:~# openssl
OpenSSL> s_client -connect www.<insertserver>.com:443 -ssl2

Error: invalid arg -ssl2


In order to fix the package needs to be forked and rebuilt with the following 2 fixes

vi debian/patches/series # remove the line "no-ssl2.patch"
vi debian/rules # remove the arg that says no-ssl2

Attached Files

-Relationships
+Relationships

-Notes

~0000151

muts (administrator)

This bug report conflicts with http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

Looking into a more elegant solution than removing the patch completely.

~0000152

rhertzog (administrator)

Note that the patch no-ssl2.patch has been merged upstream and thus no longer exists in debian/patches/. The configure option is still there though.

Ideally we should find a way to keep SSLv2 support in the lib but it should be disabled for all applications except those that add some special force flags. I don't know enough of the API internals to know whether this suggestion makes sense but we should definitely investigate in that direction to try to avoid the need to fork this package. The reason why SSLv2 has been dropped is that it's considered unsafe and server applications should not offer it as an option. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589706

Or maybe we can package something separate that provides a SSLv2 "client", it could even be openssl itself repackaged differently to just provide an "openssl2" program that would bundle the static libraries with SSLv2 support.

~0002981

rhertzog (administrator)

We're now shipping a version of sslscan that links statically against libopenssl and can thus scan SSLv2 and SSLv3 even if those are dropped from Debian's openssl.

Are there other programs that really need SSLv2 to work properly? If yes, feel free to reopen this ticket.
+Notes

-Issue History
Date Modified Username Field Change
2013-03-19 19:42 purehate New Issue
2013-03-20 11:24 muts Note Added: 0000151
2013-03-20 11:24 muts Status new => acknowledged
2013-03-20 11:34 rhertzog Note Added: 0000152
2015-01-29 19:22 rhertzog Note Added: 0002981
2015-01-29 19:22 rhertzog Status acknowledged => resolved
2015-01-29 19:22 rhertzog Fixed in Version => 1.1.0
2015-01-29 19:22 rhertzog Resolution open => fixed
2015-01-29 19:22 rhertzog Assigned To => rhertzog
+Issue History