On 30/01/17 08:30, Giancarlo Razzolini wrote:
Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost?
The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one. For LibreSSL, it would be even bigger. I think the main advantage, right away, is that LibreSSL has a considerably better security track, specially after their huge flensing.
I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL. But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl. Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl. A