Re: embedding openssl source in sslcan

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: debian-security@lists.debian.org, debian-release@lists.debian.org
Subject: Re: embedding openssl source in sslcan
From: Jonathan Yu <jawnsy@cpan.org>
Date: Sat, 24 Dec 2016 13:10:52 -0800
Message-id: <[🔎] CAMDxSEjPtpCzthi=HnaT+Ue5d6HRuXzHG+sB3QT7+WcB8De5cQ@mail.gmail.com>
In-reply-to: <slrno5qp4q.ako.jmm@inutil.org>
References: <[🔎] 20161222123710.pbppawo4k6trfzyy@breakpoint.cc> <slrno5qp4q.ako.jmm@inutil.org>

Given that this would be useful for other tools, perhaps it's best to create an "openssl-insecure" package which would ship a version of openssl that has all the bells-and-whistles enabled (including the insecure ones). We would have to take care that nothing is unintentionally linked to the library. It would be a useful companion to software like testssl.sh (which has similar requirements to sslscan)

I certainly don't have strong feelings about this, especially given that I haven't done any of the work... Just a thought :)

On Fri, Dec 23, 2016 at 9:53 AM, Moritz Mühlenhoff <jmm@inutil.org> wrote:

Sebastian Andrzej Siewior <sebastian@breakpoint.cc> schrieb:

Please use team@security.debian.org if you want to reach the security
team, not debian-security@ldo.

> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
> source?

That's for post-stretch, right? Right now it can simply link against
the 1.0.2 copy,

Seems fine to me for that use case, and it won't need any security
updates to the embedded openssl copy for all practical purposes anyway.

Cheers,
Moritz

Cheers,

Jonathan

Reply to:

References:
- embedding openssl source in sslcan
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Processed: Re: Bug#848942: jessie-pu: package most/5.0.0a-2.3
Next by Date: NEW changes in stable-new
Previous by thread: embedding openssl source in sslcan
Next by thread: Re: embedding openssl source in sslcan
Index(es):
- Date
- Thread