On Sun, 05 Jun 2016 16:49:20 +0200
Ralf Nolden <[email protected]> wrote:
> 
> Hi Alonso,
> 
> thanks for the info. On the Qt side (where it appears as a problem in 
> QtNetwork) we've added now a patch to only support openssl. The usability of 
> libressl and the support for that can be argued about, however, I think we 
> should at least write up some advisory what is used where so people know how 
> to treat problems with Qt-related software in case of security advisories.
> 
> If the use of libressl instead of openssl can be made optional by an option 
> and keep the defaults at openssl, I'm fine with any patch as long as it is up 
> to the user to build that with qca. (on Qt, I wouldn't do that on qt5-network 
> because it is not officially supported by Qt).
> 

libressl is already an option, defaulting on base's openssl. [1]

> Until that is given, I wouldn't use the patch. How is upstream handling the 
> use of libressl ?
> -- 
> Kind regards,
> 
> Ralf Nolden
> 

Hi

Upstream has the same approach that we have for handling SHA-0[2], and
a different one for SSL3: They don't provide a fallback if there's no
SSLv3 support [3], while the FreeBSD wiki proposes to do SSLv23 [4]

References:
[1] https://wiki.freebsd.org/LibreSSL
[2] 
https://quickgit.kde.org/?p=qca.git&a=commit&h=0dbed8eb38afd1561907a52283091c37e7b85156
[3] 
https://quickgit.kde.org/?p=qca.git&a=commit&h=20a587d77636186edb044cd2b71d6d90fe98d232
[4] 
https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures



Alonso

Attachment: pgp0F7EYJewjD.pgp
Description: PGP signature

_______________________________________________
kde-freebsd mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/kde-freebsd
See also http://freebsd.kde.org/ for latest information

Reply via email to