On 21/07/14 14:02, Gert Doering wrote: > Hi, > > On Mon, Jul 21, 2014 at 01:24:53PM +0200, Steffan Karger wrote: >> LibreSSL has just been ported to Linux. > > I'd stay away from LibreSSL for a while. "We do OpenBSD, and do not care > for portability" seems to have side effects on things like "seeding RNG" > that should be fully understood before using that. > > (Unfortunately I do not have the link that details this particular issue > - came around it last week)
Maybe it was this one? <https://lwn.net/Articles/605509/> But I generally agree, LibreSSL should not be used too easily currently. It takes a long time to mature an SSL library and ensure it is secure and good. Many also questions how the LibreSSL team will tackle security updates of new issues found in OpenSSL, and due to the freshness of LibreSSL, nobody really knows. How will these fixes be ported to LibreSSL and how will they ensure it will work just as well there as in OpenSSL? I also feel that OpenSSL have been bashed a bit too harshly by media and the "I don't like OpenSSL"-mobs. Remember that OpenSSL the really first true open sourced SSL which got a real breakthrough (before that, it was ssley, which OpenSSL do somewhat build upon). Many others have come and gone in the mean time as well. In addition: All kind of software have bugs. Some will be severe. And with time, it will appear also in other libraries as well as OpenSSL. There have already been many issues which have been fixed in PolarSSL, GnuTLS, NSS, etc, etc. Yes, there are issues with OpenSSL. Some code is ancient, some code is very poorly documented. Some code paths are dead on many of today's platforms. But it doesn't mean it's completely crappy code. And the OpenSSL seems to try to fix and correct some of this as well. What is important, no matter which library you use, is that it gets quickly updates when something is found. OpenSSL have generally been fairly good at this (once issues have been noticed). But this also requires that the sys-admins are responsible in their update processes, and also updates the libraries as soon as possible after the official update was released. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
