On Sun, 05 Jun 2016 16:49:20 +0200 Ralf Nolden <[email protected]> wrote: > > Hi Alonso, > > thanks for the info. On the Qt side (where it appears as a problem in > QtNetwork) we've added now a patch to only support openssl. The usability of > libressl and the support for that can be argued about, however, I think we > should at least write up some advisory what is used where so people know how > to treat problems with Qt-related software in case of security advisories. > > If the use of libressl instead of openssl can be made optional by an option > and keep the defaults at openssl, I'm fine with any patch as long as it is up > to the user to build that with qca. (on Qt, I wouldn't do that on qt5-network > because it is not officially supported by Qt). >
libressl is already an option, defaulting on base's openssl. [1] > Until that is given, I wouldn't use the patch. How is upstream handling the > use of libressl ? > -- > Kind regards, > > Ralf Nolden > Hi Upstream has the same approach that we have for handling SHA-0[2], and a different one for SSL3: They don't provide a fallback if there's no SSLv3 support [3], while the FreeBSD wiki proposes to do SSLv23 [4] References: [1] https://wiki.freebsd.org/LibreSSL [2] https://quickgit.kde.org/?p=qca.git&a=commit&h=0dbed8eb38afd1561907a52283091c37e7b85156 [3] https://quickgit.kde.org/?p=qca.git&a=commit&h=20a587d77636186edb044cd2b71d6d90fe98d232 [4] https://wiki.freebsd.org/LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures Alonso
pgp0F7EYJewjD.pgp
Description: PGP signature
_______________________________________________ kde-freebsd mailing list [email protected] https://mail.kde.org/mailman/listinfo/kde-freebsd See also http://freebsd.kde.org/ for latest information
