On Sun, 29 Jan 2017 23:38:17 +0100 Laslo Hunhold <[email protected]> wrote:
> On Sun, 29 Jan 2017 17:16:55 -0500 > "S. Gilles" <[email protected]> wrote: > > Hey, > > > On my Linux system (Gentoo), it's available as part of the libressl > > package. It even seems to have manpages taken directly from > > OpenBSD. > > I'm running Gentoo as well and should've given the libressl-ebuild > more consideration. To be honest, making the switch from OpenSSL to > LibreSSL is still non-trivial, but there is progress. > > I was wondering if it even works with OpenSSL. Looking at tls.c, it's > using tls_internal.h, which makes me assume that it's closely bound to > LibreSSL. I follow LibreSSL-development very closely and am shocked in > what state the OpenSSL-codebase was/is. > Every developer working on LibreSSL is doing god's work and for good > reason more and more independent security researchers are sending > their patches to the LibreSSL-team instead of the OpenSSL-team, whose > sole purpose at the time when Heartbleed was discovered in 2014 > seemed to be to give FIPS-seminars and raise funds. > It speaks for itself that issues in their bugtracker were ignored; to > the point, that the LibreSSL-devs went through it and applied the > fixes themselves. Also take a look at the significant number of CVE's > in the last years which LibreSSL wasn't affected by because they > deployed good coding measures, removed cruft and generally put more > trust in the underlying operating system to provide good random data, > a good memory allocator and so on. > > What is truly remarkable is the fact that such a little team around > Bob Beck was able to pull this off so efficiently. > > I wonder why there is not even more effort to adopt LibreSSL in the > major Linux distributions. I think it's just a matter of time until we > see the next major security hole in OpenSSL. > > Cheers > > Laslo > Cool story, bro
