Mail archive
alpine-devel

Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Fri, 4 Mar 2016 17:17:46 +0100

On Fri, 4 Mar 2016 15:52:33 +0100
"hasufell_at_posteo.de" <hasufell_at_posteo.de> wrote:

> On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> > +1 for LibreSSL
> >
>
>
> +1
>
> This should have been enough of a warning that OpenSSL is unreliable in
> a lot of ways.

Indeed. It is the second time they (unexpectedly) break the ABI with a
security update. I also like that they remove bad code than just
duct-tape it. I would love to switch to libressl.

> Some linux distros already provide LibreSSL support
> (mostly source distros though).

We have the package in testing.

> It requires some patching and work, but
> since Alpine is on musl already, you are probably familiar with the
> consequences of supporting such a thing.

Yes. Patching does not scare us that much.

Useful resource what packages needs patching for sslv3 removal (for
libressl-2.3): https://wiki.freebsd.org/OpenSSL/No-SSLv3

Other consequence is that they break ABI every 6 months at least.
Rebuilding packages and breaking ABI does not scare me (unless it
happens in a stable branch). They seem to do proper SO versioning so
this is not a problem, maybe slightly inconvenient.

A list of dates/versions where they have breaking the ABI is collected
here: https://wiki.freebsd.org/LibreSSL/#History

What does scare me is that libressl does not provide sec fixes for old
version long time enough. They only maintain the 2 last releases and do
release every 6 month, so we'd need to do the sec fixing our selves for
1.5 years, without support from upstream. This may be a problem.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Mar 04 2016 - 17:17:46 GMT