~alpine/devel

3 3

re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

Apocalyptic Bunyip
Details
Message ID
<CALKFSTgALhw1p638ykmSNXdRqapnwuyX35Y-+npJzRHedaotcQ@mail.gmail.com>
Sender timestamp
1456974447
DKIM signature
missing
Download raw message
+1 for LibreSSL

Keep up the great work!

Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

hasufell@posteo.de
Details
Message ID
<56D9A131.8040308@posteo.de>
In-Reply-To
<CALKFSTgALhw1p638ykmSNXdRqapnwuyX35Y-+npJzRHedaotcQ@mail.gmail.com> (view parent)
Sender timestamp
1457103153
DKIM signature
missing
Download raw message
On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> +1 for LibreSSL
> 


+1

This should have been enough of a warning that OpenSSL is unreliable in
a lot of ways. Some linux distros already provide LibreSSL support
(mostly source distros though). It requires some patching and work, but
since Alpine is on musl already, you are probably familiar with the
consequences of supporting such a thing.



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

Jiri Horner
Details
Message ID
<20160304150110.5894225.70018.2045@gmail.com>
In-Reply-To
<56D9A131.8040308@posteo.de> (view parent)
Sender timestamp
1457103670
DKIM signature
missing
Download raw message
+1 for LibreSSL

I'm willing to help with patches if there would be such transition.

Sorry for formatting. I'm on phone.
‎
  Original Message  
From: hasufell@posteo.de
Sent: Friday, 4 March 2016 15:52
To: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> +1 for LibreSSL
> 


+1

This should have been enough of a warning that OpenSSL is unreliable in
a lot of ways. Some linux distros already provide LibreSSL support
(mostly source distros though). It requires some patching and work, but
since Alpine is on musl already, you are probably familiar with the
consequences of supporting such a thing.



---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Re: [alpine-devel] Latest OpenSSL with SSLv2/weak ciphers enabled

Natanael Copa
Details
Message ID
<20160304171746.65b5e192@ncopa-desktop.alpinelinux.org>
In-Reply-To
<56D9A131.8040308@posteo.de> (view parent)
Sender timestamp
1457108266
DKIM signature
missing
Download raw message
On Fri, 4 Mar 2016 15:52:33 +0100
"hasufell@posteo.de" <hasufell@posteo.de> wrote:

> On 03/03/2016 04:07 AM, Apocalyptic Bunyip wrote:
> > +1 for LibreSSL
> >   
> 
> 
> +1
> 
> This should have been enough of a warning that OpenSSL is unreliable in
> a lot of ways.

Indeed. It is the second time they (unexpectedly) break the ABI with a
security update. I also like that they remove bad code than just
duct-tape it. I would love to switch to libressl.

> Some linux distros already provide LibreSSL support
> (mostly source distros though).

We have the package in testing.

> It requires some patching and work, but
> since Alpine is on musl already, you are probably familiar with the
> consequences of supporting such a thing.

Yes. Patching does not scare us that much.

Useful resource what packages needs patching for sslv3 removal (for
libressl-2.3): https://wiki.freebsd.org/OpenSSL/No-SSLv3

Other consequence is that they break ABI every 6 months at least.
Rebuilding packages and breaking ABI does not scare me (unless it
happens in a stable branch). They seem to do proper SO versioning so
this is not a problem, maybe slightly inconvenient.

A list of dates/versions where they have breaking the ABI is collected
here: https://wiki.freebsd.org/LibreSSL/#History

What does scare me is that libressl does not provide sec fixes for old
version long time enough. They only maintain the 2 last releases and do
release every 6 month, so we'd need to do the sec fixing our selves for
1.5 years, without support from upstream. This may be a problem.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---