Mail archive

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Kevin Chadwick <>
Date: Sat, 10 Feb 2018 11:17:15 +0000

This is my last cross post as I am in danger or have already abused
your list likely atleast in some peoples eyes.

It seems like a strong argument to make upstreams reconsider to me. I
know security is an intangible asset and they likely won't care.
Though I think that lesson is becoming more widely understood, so maybe.

Theo posted this

> It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1
> APIs for improved security, and LibreSSL does not implement those APIs
> at all.

The 1.1 API does not improve security.

If anything, the new API requires to you repeat the same or similar
arguments to many functions, and in many ways the API is much more
fragile. Also, more memory allocation and free is required, and as a
result quite a few software upgrades to 1.1 API have had memory leaks,
as well as use-after-free and double-free bugs.

A very large patch for converting openssh to 1.1 was provided by folk
who very much know the API, and it had several stupid and quite
dangerous mistakes of that sort.

Don't believe all the promises you hear.

Received on Sat Feb 10 2018 - 11:17:15 UTC