Mail archive

Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

From: Natanael Copa <>
Date: Fri, 4 Mar 2016 17:17:46 +0100

On Fri, 4 Mar 2016 15:52:33 +0100
"" <> wrote:

> On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> > +1 for LibreSSL
> >
> +1
> This should have been enough of a warning that OpenSSL is unreliable in
> a lot of ways.

Indeed. It is the second time they (unexpectedly) break the ABI with a
security update. I also like that they remove bad code than just
duct-tape it. I would love to switch to libressl.

> Some linux distros already provide LibreSSL support
> (mostly source distros though).

We have the package in testing.

> It requires some patching and work, but
> since Alpine is on musl already, you are probably familiar with the
> consequences of supporting such a thing.

Yes. Patching does not scare us that much.

Useful resource what packages needs patching for sslv3 removal (for

Other consequence is that they break ABI every 6 months at least.
Rebuilding packages and breaking ABI does not scare me (unless it
happens in a stable branch). They seem to do proper SO versioning so
this is not a problem, maybe slightly inconvenient.

A list of dates/versions where they have breaking the ABI is collected

What does scare me is that libressl does not provide sec fixes for old
version long time enough. They only maintain the 2 last releases and do
release every 6 month, so we'd need to do the sec fixing our selves for
1.5 years, without support from upstream. This may be a problem.


Received on Fri Mar 04 2016 - 17:17:46 UTC