Hardened OpenSSL fork

To: debian-devel@lists.debian.org
Subject: Hardened OpenSSL fork
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Sun, 20 Apr 2014 19:07:45 +0100
Message-id: <[🔎] 53540CF1.5000109@pyro.eu.org>

Hi,

A few things led me to question whether it is safe for OpenSSL to enable
so many features.  The heartbeat extension was not likely being used by
anyone for its stated legitimate purpose.  I've yet to use/need DTLS.  I
wondered if we could have had something along the lines of an
openssl-heavy and openssl-light.

But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
1.0.1g.  It's now using native malloc/free instead of its own allocator
which allowed the Heartbleed bug to happen.  From doing that, Ted
Unangst found the cause of the bug now known as CVE-2010-5298.  And
obsolete code such as for SSLv2 or portability with ancient systems is
being ripped out.

I wonder if this might result in an alternate SSL/TLS library we could
use in Debian?

The effort curiously has its own fanpage in the style of the
vulnerability that triggered it:  http://opensslrampage.org

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Follow-Ups:
- Re: Hardened OpenSSL fork
  - From: Michael Banck <mbanck@debian.org>
- Re: Hardened OpenSSL fork
  - From: md@Linux.IT (Marco d'Itri)
- Re: Hardened OpenSSL fork
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Hardened OpenSSL fork
  - From: Thomas Goirand <zigo@debian.org>
- Re: Hardened OpenSSL fork
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Bug#745342: ITP: twine -- Collection of utilities for interacting with PyPI
Next by Date: Bug#745343: ITP: erlang-ibrowse -- HTTP client written in erlang
Previous by thread: Bug#745342: ITP: twine -- Collection of utilities for interacting with PyPI
Next by thread: Re: Hardened OpenSSL fork
Index(es):
- Date
- Thread