On Sun, 29 Jan 2017 17:16:55 -0500 "S. Gilles" <[email protected]> wrote:
Hey, > On my Linux system (Gentoo), it's available as part of the libressl > package. It even seems to have manpages taken directly from OpenBSD. I'm running Gentoo as well and should've given the libressl-ebuild more consideration. To be honest, making the switch from OpenSSL to LibreSSL is still non-trivial, but there is progress. I was wondering if it even works with OpenSSL. Looking at tls.c, it's using tls_internal.h, which makes me assume that it's closely bound to LibreSSL. I follow LibreSSL-development very closely and am shocked in what state the OpenSSL-codebase was/is. Every developer working on LibreSSL is doing god's work and for good reason more and more independent security researchers are sending their patches to the LibreSSL-team instead of the OpenSSL-team, whose sole purpose at the time when Heartbleed was discovered in 2014 seemed to be to give FIPS-seminars and raise funds. It speaks for itself that issues in their bugtracker were ignored; to the point, that the LibreSSL-devs went through it and applied the fixes themselves. Also take a look at the significant number of CVE's in the last years which LibreSSL wasn't affected by because they deployed good coding measures, removed cruft and generally put more trust in the underlying operating system to provide good random data, a good memory allocator and so on. What is truly remarkable is the fact that such a little team around Bob Beck was able to pull this off so efficiently. I wonder why there is not even more effort to adopt LibreSSL in the major Linux distributions. I think it's just a matter of time until we see the next major security hole in OpenSSL. Cheers Laslo -- Laslo Hunhold <[email protected]>
