[arch-dev-public] OpenSSL 1.1.0

Allan McRae allan at archlinux.org
Mon Jan 30 03:05:56 UTC 2017


On 30/01/17 08:30, Giancarlo Razzolini wrote:
> Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
>>
>> I haven't heard all that much from/about LibreSSL since shortly after
>> the fork.
>> Care to share what advantages it would bring, and at what cost?
>>
> 
> The cost for rebuilding everything against OpenSSL 1.1 will probably be
> a big one.
> For LibreSSL, it would be even bigger. I think the main advantage, right
> away, is
> that LibreSSL has a considerably better security track, specially after
> their huge
> flensing.
> 
> I can only dream about the bugs that might lurk on both OpenSSL 1.1 and
> LibreSSL.
> But the defensive approach OpenBSD takes on LibreSSL already has paid
> off in terms
> of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
> 

Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity ones
only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.

A


More information about the arch-dev-public mailing list