[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardened OpenSSL fork

On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> Hi,
> 
> But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
> 1.0.1g.

One of the problems with anything from OpenBSD is that they only
care about OpenBSD, and if you want to use that fork you'll
actually have to go and revert some of the things they're doing.

Some of the things they're changing are actually good changes,
but some are also just wrong.  They don't seem to be understanding
why things are the way they are and seem to be changing code they
don't understand.

They also seems to like to do white space changes, which is really
helpful.

> It's now using native malloc/free instead of its own allocator
> which allowed the Heartbleed bug to happen.

This did not allow heartbleed to happen.  It might have hidden
CVE-2010-5298 more, but it was always there and is unrelated to
heartbleed.

When using the native malloc you would still have be able to
exploit heartbleed, but it will most likely result in different
behaviour and might be harder.

> I wonder if this might result in an alternate SSL/TLS library we could
> use in Debian?

There are alternatives, but I guess you mean alternative to
openssl.  Currently it actually doesn't look like a good option to
me.


Kurt
Reply to: