Re: [hackers] Updating SSL patch for ii.
On Sun, 29 Jan 2017 23:38:17 +0100
Laslo Hunhold <dev_AT_frign.de> wrote:
> On Sun, 29 Jan 2017 17:16:55 -0500
> "S. Gilles" <sgilles_AT_math.umd.edu> wrote:
>
> Hey,
>
> > On my Linux system (Gentoo), it's available as part of the libressl
> > package. It even seems to have manpages taken directly from
> > OpenBSD.
>
> I'm running Gentoo as well and should've given the libressl-ebuild
> more consideration. To be honest, making the switch from OpenSSL to
> LibreSSL is still non-trivial, but there is progress.
>
> I was wondering if it even works with OpenSSL. Looking at tls.c, it's
> using tls_internal.h, which makes me assume that it's closely bound to
> LibreSSL. I follow LibreSSL-development very closely and am shocked in
> what state the OpenSSL-codebase was/is.
> Every developer working on LibreSSL is doing god's work and for good
> reason more and more independent security researchers are sending
> their patches to the LibreSSL-team instead of the OpenSSL-team, whose
> sole purpose at the time when Heartbleed was discovered in 2014
> seemed to be to give FIPS-seminars and raise funds.
> It speaks for itself that issues in their bugtracker were ignored; to
> the point, that the LibreSSL-devs went through it and applied the
> fixes themselves. Also take a look at the significant number of CVE's
> in the last years which LibreSSL wasn't affected by because they
> deployed good coding measures, removed cruft and generally put more
> trust in the underlying operating system to provide good random data,
> a good memory allocator and so on.
>
> What is truly remarkable is the fact that such a little team around
> Bob Beck was able to pull this off so efficiently.
>
> I wonder why there is not even more effort to adopt LibreSSL in the
> major Linux distributions. I think it's just a matter of time until we
> see the next major security hole in OpenSSL.
>
> Cheers
>
> Laslo
>
Cool story, bro
Received on Sun Jan 29 2017 - 23:49:06 CET
This archive was generated by hypermail 2.3.0
: Mon Jan 30 2017 - 00:00:41 CET