X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 7AB76DC0A3C for ; Fri, 4 Mar 2016 16:17:54 +0000 (UTC) Received: from newmail.tetrasec.net (unknown [74.117.189.116]) by mail.alpinelinux.org (Postfix) with ESMTP id 3F2D3DC003A for ; Fri, 4 Mar 2016 16:17:54 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (103.63.200.37.customer.cdi.no [37.200.63.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by newmail.tetrasec.net (Postfix) with ESMTPSA id 895A55A146A; Fri, 4 Mar 2016 16:17:52 +0000 (GMT) Date: Fri, 4 Mar 2016 17:17:46 +0100 From: Natanael Copa To: "hasufell@posteo.de" Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled Message-ID: <20160304171746.65b5e192@ncopa-desktop.alpinelinux.org> In-Reply-To: <56D9A131.8040308@posteo.de> References: <56D9A131.8040308@posteo.de> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.28; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP On Fri, 4 Mar 2016 15:52:33 +0100 "hasufell@posteo.de" wrote: > On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote: > > +1 for LibreSSL > > > > > +1 > > This should have been enough of a warning that OpenSSL is unreliable in > a lot of ways. Indeed. It is the second time they (unexpectedly) break the ABI with a security update. I also like that they remove bad code than just duct-tape it. I would love to switch to libressl. > Some linux distros already provide LibreSSL support > (mostly source distros though). We have the package in testing. > It requires some patching and work, but > since Alpine is on musl already, you are probably familiar with the > consequences of supporting such a thing. Yes. Patching does not scare us that much. Useful resource what packages needs patching for sslv3 removal (for libressl-2.3): https://wiki.freebsd.org/OpenSSL/No-SSLv3 Other consequence is that they break ABI every 6 months at least. Rebuilding packages and breaking ABI does not scare me (unless it happens in a stable branch). They seem to do proper SO versioning so this is not a problem, maybe slightly inconvenient. A list of dates/versions where they have breaking the ABI is collected here: https://wiki.freebsd.org/LibreSSL/#History What does scare me is that libressl does not provide sec fixes for old version long time enough. They only maintain the 2 last releases and do release every 6 month, so we'd need to do the sec fixing our selves for 1.5 years, without support from upstream. This may be a problem. -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---