Re: [hackers] Updating SSL patch for ii.

From: Laslo Hunhold <dev_AT_frign.de>
Date: Sun, 29 Jan 2017 23:38:17 +0100

On Sun, 29 Jan 2017 17:16:55 -0500
"S. Gilles" <sgilles_AT_math.umd.edu> wrote:

Hey,

> On my Linux system (Gentoo), it's available as part of the libressl
> package. It even seems to have manpages taken directly from OpenBSD.

I'm running Gentoo as well and should've given the libressl-ebuild more
consideration. To be honest, making the switch from OpenSSL to LibreSSL
is still non-trivial, but there is progress.

I was wondering if it even works with OpenSSL. Looking at tls.c, it's
using tls_internal.h, which makes me assume that it's closely bound to
LibreSSL. I follow LibreSSL-development very closely and am shocked in
what state the OpenSSL-codebase was/is.
Every developer working on LibreSSL is doing god's work and for good
reason more and more independent security researchers are sending their
patches to the LibreSSL-team instead of the OpenSSL-team, whose sole
purpose at the time when Heartbleed was discovered in 2014 seemed to be
to give FIPS-seminars and raise funds.
It speaks for itself that issues in their bugtracker were ignored; to
the point, that the LibreSSL-devs went through it and applied the fixes
themselves. Also take a look at the significant number of CVE's in the
last years which LibreSSL wasn't affected by because they deployed good
coding measures, removed cruft and generally put more trust in the
underlying operating system to provide good random data, a good memory
allocator and so on.

What is truly remarkable is the fact that such a little team around Bob
Beck was able to pull this off so efficiently.

I wonder why there is not even more effort to adopt LibreSSL in the
major Linux distributions. I think it's just a matter of time until we
see the next major security hole in OpenSSL.

Cheers

Laslo

-- 
Laslo Hunhold <dev_AT_frign.de>
Received on Sun Jan 29 2017 - 23:38:17 CET

This archive was generated by hypermail 2.3.0 : Sun Jan 29 2017 - 23:48:17 CET