On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> +1 for LibreSSL>
+1
This should have been enough of a warning that OpenSSL is unreliable in
a lot of ways. Some linux distros already provide LibreSSL support
(mostly source distros though). It requires some patching and work, but
since Alpine is on musl already, you are probably familiar with the
consequences of supporting such a thing.
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled
+1 for LibreSSL
I'm willing to help with patches if there would be such transition.
Sorry for formatting. I'm on phone.
Original Message
From: hasufell@posteo.de
Sent: Friday, 4 March 2016 15:52
To: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled
On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> +1 for LibreSSL>
+1
This should have been enough of a warning that OpenSSL is unreliable in
a lot of ways. Some linux distros already provide LibreSSL support
(mostly source distros though). It requires some patching and work, but
since Alpine is on musl already, you are probably familiar with the
consequences of supporting such a thing.
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled
On Fri, 4 Mar 2016 15:52:33 +0100
"hasufell@posteo.de" <hasufell@posteo.de> wrote:
> On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:> > +1 for LibreSSL> > > > > +1> > This should have been enough of a warning that OpenSSL is unreliable in> a lot of ways.
Indeed. It is the second time they (unexpectedly) break the ABI with a
security update. I also like that they remove bad code than just
duct-tape it. I would love to switch to libressl.
> Some linux distros already provide LibreSSL support> (mostly source distros though).
We have the package in testing.
> It requires some patching and work, but> since Alpine is on musl already, you are probably familiar with the> consequences of supporting such a thing.
Yes. Patching does not scare us that much.
Useful resource what packages needs patching for sslv3 removal (for
libressl-2.3): https://wiki.freebsd.org/OpenSSL/No-SSLv3
Other consequence is that they break ABI every 6 months at least.
Rebuilding packages and breaking ABI does not scare me (unless it
happens in a stable branch). They seem to do proper SO versioning so
this is not a problem, maybe slightly inconvenient.
A list of dates/versions where they have breaking the ABI is collected
here: https://wiki.freebsd.org/LibreSSL/#History
What does scare me is that libressl does not provide sec fixes for old
version long time enough. They only maintain the 2 last releases and do
release every 6 month, so we'd need to do the sec fixing our selves for
1.5 years, without support from upstream. This may be a problem.
-nc
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---