Mail archive

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Kevin Chadwick <>
Date: Sat, 10 Feb 2018 19:06:46 +0000

On Sat, 10 Feb 2018 12:16:18 -0600

> I like how it was already pointed out, by you and possibly others, on
> openbsd-misc *and* this list, that most people do not use the CA / SAN
> verification routines correctly.

Wasn't me!

> Then you mention that "well, invalid certs like that shouldn't be
> trusted".

You missed the point entirely, he didn't ask the question.

From the commit message I'm inclined to think it clamps the year for
good or bad but I was just pointing out his argument was potentially
obviously flawed.

OpenSSL only started in 1998! and any trusted CA that issues a pre 1970
cert is broken anyway. That was his assertion of it working that
way and being insecure.

The point wasn't that I knew but that he hadn't given LibreSSL the
chance despite it's merits over OpenSSL. I assure you that LibreSSL
devs know a lot more than us about LibreSSL. Not raising issue with
them is arrogance.

But yes, I use public key crypto not CA certificates for anything I
implement, except a website where I hope letsencrypt start doing
things properly and less traditionally.

I actually don't care one bit aside from dev time wasted for a
worse outcome. I simply saw a wrong

> The problem with the OpenBSD community is not bluntness. Arrogance
> and trolling are problems for me. And you know what? Honestly, I
> don't find too many OpenBSD devs have that problem. Their users,
> however...their users....

 Atleast you did enter some discussion and William might have learnt
 that passing imsgs can be more secure and protect the keys!

Received on Sat Feb 10 2018 - 19:06:46 UTC