Hacker News new | past | comments | ask | show | jobs | submit login

Typically, most server software has configuration options that allow you to specify which protocol versions are permitted (i.e. ssl_protocols in nginx, SSLProtocol in apache). Sometimes, they also bring defaults that are stricter than what OpenSSL supports by default.

The difference between older OpenSSL versions shipped by distributions and the latest version is not that newer protocols aren't supported, but that they haven't completely removed support for older, insecure protocols. For example, SSLv2 was only disabled by default in OpenSSL 1.0.2g, which was released today. Meanwhile, a lot of server software (e.g. nginx) had it disabled by default for quite some time now.

This is mostly relevant if you have code that uses OpenSSL directly - but then it's probably not a good idea to rely on OpenSSL defaults anyway.

tl;dr Older OpenSSL versions are probably fine as long as your server software has good defaults.




Ok, can you tell in short, which server software is involved?

Nginx is not the only one, I guess. At least ssh should also be in the boat ... and the mail server .... and ....


OpenSSH is a different project that doesn't use OpenSSL, so that's not affected.

As for other software, it depends on the defaults and how their code disables SSLv2 (i.e. whether they just disable all SSLv2 ciphers, or disable the actual protocol with SSL_OP_NO_SSLv2).

Anyway, it's likely that most distributions will backport the fix soon for all supported OS versions (either by disabling SSLv2 too or by including the fix from OpenSSL 1.0.2f that allows SSLv2 handshakes even if SSLv2 ciphers are disabled).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: