[Pkg-ace-devel] Fwd: [Bug 3958] debian doesn't ship sslv2 anymore
Pau Garcia i Quiles
pgquiles at elpauer.org
Tue May 24 18:47:50 UTC 2011
On Thu, May 19, 2011 at 9:31 AM, Thomas Girard <thomas.g.girard at free.fr> wrote:
> Hello,
>
> Le 19/05/2011 01:04, Pau Garcia i Quiles a écrit :
>> Can we please delay the upload a few days? I may be able to work on
>> this issue this weekend.
>
> Okay.
>
> Thanks for your work,
After a few hours on this last weekend, I think my initial solution is
the right one but only because it preserves the same odd aproach ACE
has: send junk, get SSLv3.
Defaulting to anything else (i. e. not establishing SSLv3 connection)
would be safer but would also break upstream's default behavior. In
fact, IMHO the "SSLv3 by default" behavior may even lead to DoS
attacks by exhaustion of resources on the server side :-/ Maybe I
should open a bugreport asking to change this default?
--
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)
More information about the Pkg-ace-devel
mailing list