X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-wr0-f174.google.com (mail-wr0-f174.google.com [209.85.128.174]) by lists.alpinelinux.org (Postfix) with ESMTP id B124B5C0522 for ; Sat, 10 Feb 2018 15:45:33 +0000 (GMT) Received: by mail-wr0-f174.google.com with SMTP id t94so11053120wrc.5 for ; Sat, 10 Feb 2018 07:45:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VCUqryK/ZeMPMML+E5HWir2fi+LcU/UCHDtKT0U0ra4=; b=lzhh3KRixjR5p6CfSf/b1UaF8Mhd23oz7WahQ3SmaRMFEnl01bpr0fbrnkZWbAiqWc 7Bape0CUtuyEQ0iv27X1HUhx9deucJ3haVgEVO7psRje5rJwBoby/hC0Fe0avupKjmcl ak/ApH8yTzP8hx32avI5wcYr8Ch2ExJbdBwVw1dExB4QQs39X+CakqgeBdxAfnMhQV4w fgf06XwjKKCBX9I3s0r3K7rQcJwM1DAISHMktzvXe0xTVLfgduiD5QgXRvt5nYDDfABq 7eDXO2ritrP+6CviiI9y209KhmZ6oo0R7MmyomrE8XvxsSDbdnlWu2Sw4bBLy9ITu3uc KAAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VCUqryK/ZeMPMML+E5HWir2fi+LcU/UCHDtKT0U0ra4=; b=U0LMqqe5o+TAXdfET4onk3VMO6kburMwj995yj99T24PaeDySrWmBGy6d1DDNyDfYi IHE6INabu/FKw0t6hvACYKQiuZtzRrgMVqTmGfXr/m+vih/UYCD+LOEPR7a4zwliewxr PqrSZWyoDw0v7fTje6x379T+OjpQzZ5sQuuQ3pQFG3szB+FyBARuKXxUkcX67kTVgWHB P4/wsI3kq5a2cYFswMg1fsFDyTUCB4KfT3XF8jfv2KIWs2U3/4B7Qg/ITP1mChDsrNfy by4J817+YQzDZkPLTjGnVo10oEu5LtWdIIqZGTumaXXw84Jn4g6phtx6x2ETU4GhLila fdUw== X-Gm-Message-State: APf1xPB+kN48Y49TrWDfoGMh2czM0x4b+Fr9JEJ4pQ0yFhyq8kq4VS/E VDq0DhwSIxlnHB1kY1G8EAGCuZw= X-Google-Smtp-Source: AH8x224EuOC/nTqrP8cW/6gDGg80UJOkomgzIM8hnSk+IKO9pC+LPgB0DtN6p7JY7RkBqMnpePIQqA== X-Received: by 10.223.199.6 with SMTP id k6mr2549467wrg.197.1518277532990; Sat, 10 Feb 2018 07:45:32 -0800 (PST) Received: from mechanicum.chadwicks.me.uk (mail.oesys.co. [82.71.11.172]) by smtp.gmail.com with ESMTPSA id 4sm1302210wmz.31.2018.02.10.07.45.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 10 Feb 2018 07:45:32 -0800 (PST) Date: Sat, 10 Feb 2018 15:45:13 +0000 From: Kevin Chadwick To: William Pitcock Cc: alpine-dev Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation Message-ID: <20180210154513.66fa5b3a@mechanicum.chadwicks.me.uk> In-Reply-To: References: <20180209211237.19ab8fda@ncopa-macbook.copa.dup.pw> <20180210111715.144a571e@mechanicum.chadwicks.me.uk> <20180210141109.55695e19@mechanicum.chadwicks.me.uk> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 10 Feb 2018 08:31:26 -0600 > For the n-th time, there is nothing to discuss, LibreSSL removed SAFE > date calculation code and replaced it with code that is only SAFE > under a specific precondition: 64-bit time_t. Then they made it > blindly accept ANY certificate that overflows the time_t if it's > smaller than 64-bit, which is COMPLETELY UNSAFE AND ARGUABLY A > SECURITY PROBLEM BECAUSE IT MEANS A CERT THAT EXPIRES BEFORE 1970 IS > NOW POTENTIALLY VALID. Don't believe me? Generate a certificate that > computes as 0xfffffff time_t on 32-bit and you win. Really, you do! > If they care about portability, they should revert this change. Yet there is no mention of TAI64N or this as far as I can see on the libressl mailing list. I cross posted because reluctance to communicate between Linux and OpenBSD devs is well known. OpenBSD devs are blunt but they don't have time to be anything else. I guess that issue PRE 1970 issue would not apply to OpenSSH but you would probably find that your argument about a CERT expiring before 1970 has been considered and found to be a red herring or they would help you but no YOU HAVEN'T EVEN DISCUSSED YOUR PROBLEM. Where would they get a 1970 cert from that was trusted? --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---