On 30.01.2017 14:09, Giancarlo Razzolini wrote:
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say is that it wasn't *every*[0] high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1 way. Both will be hard, but I think in the end we would be better off using LibreSSL.
Cheers, Giancarlo Razzolini
For now I'd like to keep openssl. This might change when upstream projects might switch to libressl. ATM I do not see an objective reason to do so. If it is a drop in replacement a separate package could be provided. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com