Hi Samuli and friends: This is what I think.
Both of us don't know how long it will take for OpenSSL to fix the long list of bugs -some of which are significant- that have accumulated over the years. One year or two years? OpenVPN is in the business of providing software that enables secure communications. Can OpenVPN afford to wait one or two years for bugs to be fixed? How will OpenVPN address the concerns of its Access Server's customers? Do Access Server software incorporate OpenSSL or PolarSSL? Hackers and agencies sponsored by their respective governments will have a field day disrupting secure communications enabled by the use of defective VPN software. Economic espionage will wreak havoc on the markets and create unfair competition for those countries which are technically and scientifically superior. Human rights abuses will be on the increase. I accept that substantial portions of the current software code for Windows will have to be rewritten. But aren't you also doing it for Access Server customers? Aren't they affected by OpenSSL's bugs? Regards. Lisa > ---------------------------------------- > From: Samuli Seppänen <sam...@openvpn.net> > Sent: Mon Jul 21 14:44:11 CEST 2014 > To: Gert Doering <g...@greenie.muc.de>, Lisa Minogue <lmino...@mail.be> > Subject: Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced? > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Hi, > > > > On Mon, Jul 21, 2014 at 11:35:48AM +0200, Lisa Minogue wrote: > >> In the light of the above, do you have plans to replace OpenSSL with > PolarSSL or LibreSSL? And how soon will new bundles of OpenVPN software > be released that incorporate OpenSSL alternatives? > > [..] > >> P.S.: I apologize if the above questions have been dealt with in the > past. > > > > Indeed, you could have just googled for "OpenVPN PolarSSL"... > > > > But anyway. Samuli: can the build environment do windows binaries using > > PolarSSL? Might be nice to offer both... > > > > gert > > > The build environment for Windows would have to be modified > significantly to support PolarSSL. Although we probably can all agree > that the state of OpenSSL leaves a lot to be desired, it's now funded by > the Core Infratructure Initiative: > > <http://www.linuxfoundation.org/programs/core-infrastructure-initiative> > > I don't know if money (=few full-time developers) can save the can of > worms, but probably we should not panic quite yet. Opinions? > > - -- > Samuli Seppänen > Community Manager > OpenVPN Technologies, Inc > > irc freenode net: mattock > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlPNCxoACgkQwp2X7RmNIqPLVwCeJlS7jpSFGL8N1UtO/fI17Ovi > C10An3Gzt1blQd5SrCcEE47Qid0oSGin > =etcu > -----END PGP SIGNATURE----- > ----------------------------------------------------- Mail.be, WebMail and Virtual Office http://www.mail.be
