openssl: variant with SSLv2 support?

[udbraumann]

As openssl 1.0.2g has no longer SSLv2 enabled by default, I wonder if a variant could be made wich re-enables SSLv2 during configure time? E.g. the port sslscan cannot be build anymore if SSLv2 is turned off: #50855

[neverpanic (Clemens Lang)]

Given the security issues in SSLv2 I would like to avoid offering the possibility to make your own system insecure, especially since installing openssl +ssl2 would not only affect sslscan.

Larry, what's your opinion on this?

[ryandesign (Ryan Carsten Schmidt)]

I agree. Fix sslscan instead.

[vallon (Justin)]

#50872 is a build failure of courier-imap.

How are clients (of openssl) supposed to handle the deprecation of SSLv2_method? What is the proper procedure for removing the call to the removed function? Assume I know nothing about the openssl API.

The alternative is to upgrade to courier-imap latest release, and complain to their maintainer if it doesn't build against openssl latest.

[larryv (Lawrence Velázquez)]

Replying to cal@…:

Larry, what's your opinion on this?

I concur with you and Ryan: I don’t like the idea of letting users backslide on this. Plus, upstream is planning to ​remove SSLv2 entirely by 1.1.0, so incompatible ports will have to be fixed anyway. If there are many such ports, we could use this ticket to keep track of the work.

[vallon (Justin)]

Cc Me!

[neverpanic (Clemens Lang)]

courier-imap is being handled in #50872. sslscan will have to be fixed upstream. Closing this as wontfix since we all agree that we should no longer provide SSLv2.