LibreSSL and OpenSSL and *SSL

Jan Stary hans at stare.cz
Wed Feb 28 18:06:34 UTC 2018


> On Feb 16 20:15:04, notifications at github.com wrote:
> > OpenSSL was once undersupported because they didn't have funds
> > to have full time staff doing development and maintenance.
> > That ended a long time ago after Heartbleed.
> > The project is now fully funded and has excellent people working on it.

https://marc.info/?l=openbsd-misc&m=151974573718360&w=2


> Now we get to the real thing: LibreSSL is better.
> 
> For those who actually care: please do watch the original
> talks and slides about why LibreSSL even exists:
> 
> https://www.youtube.com/watch?v=GnBbhXBDmwU
> https://www.openbsd.org/papers/bsdcan14-libressl/
> 
> https://www.youtube.com/watch?v=WFMYeMNCcSY
> https://www.openbsd.org/papers/eurobsdcon2014-libressl.html
> 
> Yes, that's almost four years ago. So how much of the
> attrocities mentioned in the above have been fixed?
> Does it still use its own OPENSSL_malloc() that never frees?
> Does it still use its own OPENSSL_strfoo() that is almost,
> but not quite, indetical to the usual, well defined strfoo(3)?
> Has the depth of the #ifdef/#ifndef maze dropped from 17?
> Are the security vulnerabilities still rotting in the bug DB for years?
> Is it still impossible to enter the codebase from outside
> without untangling it for weeks?
> 
> The LibreSSL developers state explicitly that heartbleed
> was not why they started their fork. It was things like these.
> https://www.tedunangst.com/flak/post/origins-of-libressl


More information about the macports-dev mailing list