Openssl Update

İhsan Doğan ihsan at opencsw.org
Thu Mar 17 19:03:05 CET 2016


Am 17.03.2016 um 11:01 schrieb Laurent Blume:

>> well it broke ABI. Which kind of sucks too.
>> http://ptribble.blogspot.de/2016/03/moving-goalposts-with-openssl.html
> 
> What's pathetic is that distro makers are now whining that they are
> forced to get their fingers out of their collective asses, because,
> boo-hoo, the defaults have changed. Whereas not so long ago, people were
> whining that OpenSSL sucked because, boo-hoo, its defaults never changed.
> 
> After checking my calendar again, yep, it's 2016. OpenSSL have been
> saying for at least 2 years that SSLv2 should have been disabled! It's
> not NEWS that SSLv2 is broken! So WHY was it kept enabled? Because it's
> just easier to use defaults, so then they can reject responsibility to
> somebody else?

This is really hard to understand, as SSLv2 is broken for more than 10
years!

> «OpenSSL has been around a long time, and it carries around a lot of
> cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is
> completely broken, and you should disable it during configuration. You
> can disable protocols and provide other options through Configure and
> config, and the following lists some of them.»
> 
> https://wiki.openssl.org/index.php/Compilation_and_Installation
> 
> So, here's a thought: stop assuming that OpenSSL, a project that's been
> underfunded until it got in the news, will magically deal with
> every.issue with old protocols. Packagers should their brains: if they
> don't have a compelling reason to keep an old crufty protocol, why is it
> enabled?

LibreSSL seems to be more progressive with removing unneeded code. As it
LibreSSL suppose to be 100% compatible with OpenSSL, do you think it
makes sense to replace OpenSSL with LibreSSL?



Ihsan

-- 
ihsan at dogan.ch        http://blog.dogan.ch/


More information about the users mailing list