Am 17.03.2016 um 11:01 schrieb Laurent Blume: >> well it broke ABI. Which kind of sucks too. >> http://ptribble.blogspot.de/2016/03/moving-goalposts-with-openssl.html > > What's pathetic is that distro makers are now whining that they are > forced to get their fingers out of their collective asses, because, > boo-hoo, the defaults have changed. Whereas not so long ago, people were > whining that OpenSSL sucked because, boo-hoo, its defaults never changed. > > After checking my calendar again, yep, it's 2016. OpenSSL have been > saying for at least 2 years that SSLv2 should have been disabled! It's > not NEWS that SSLv2 is broken! So WHY was it kept enabled? Because it's > just easier to use defaults, so then they can reject responsibility to > somebody else?
This is really hard to understand, as SSLv2 is broken for more than 10 years! > «OpenSSL has been around a long time, and it carries around a lot of > cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is > completely broken, and you should disable it during configuration. You > can disable protocols and provide other options through Configure and > config, and the following lists some of them.» > > https://wiki.openssl.org/index.php/Compilation_and_Installation > > So, here's a thought: stop assuming that OpenSSL, a project that's been > underfunded until it got in the news, will magically deal with > every.issue with old protocols. Packagers should their brains: if they > don't have a compelling reason to keep an old crufty protocol, why is it > enabled? LibreSSL seems to be more progressive with removing unneeded code. As it LibreSSL suppose to be 100% compatible with OpenSSL, do you think it makes sense to replace OpenSSL with LibreSSL? Ihsan -- [email protected] http://blog.dogan.ch/
