Thomas Chust ch...@web.de writes:
So I would like to poll for opinions from people on this list
concerning this situation. Do you think the default options in the
OpenSSL egg should be hardened? Do you think more options should be
introduced? Is compatibility with the rest of the internet a
On Thu, 16 Oct 2014, Sascha Ziemann wrote:
[...]
I think it is a good idea to make TLS the default. [...] I think it is
sufficient to enable SSL with a parameter or environment variable. I
propose:
I_DONT_CARE_ABOUT_SECURITY=yes
[...]
... and there I was thinking that was implicit in the
Thomas Chust scripsit:
... and there I was thinking that was implicit in the use of SSL/TLS
in the first place ;-)
Security, like privacy, exists in the individual human mind alone: die
Gedanken sind frei. Beyond that, 15th century tradecraft is still the
best advice: meet someone around
On Thu, 16 Oct 2014, Florian Zumbiehl wrote:
[...]
I just wanted to point out that we still have a bunch of patches lying
around that among other things implement security improvements:
openssl: add support for TLS 1.1 and 1.2
openssl: add functions ssl-set-reneg-legacy-server-connect!,
Hi,
thanks for the heads up, I had totally forgotten about these
patches. Can they be found somewhere online? I'd like to take a look
again, perhaps they aren't that hard to incorporate.
You probably didn't know about them yet, and they are unpublished so far, I
just have pointed out the
Hi,
IIRC we were waiting for andyjpb and company to fix the breakage introduced
by the buffering patch so we could pull in current upstream and then push
the patches or something ...
Oops... sorry. I can't find the mail relating to the details of the
breakage. Please can someone remind me and
Hi,
Disable scheduling in order to prevent error checking races between threads.
---
Well, I still don't have a clue whether disabling interrupts is actually a
bad idea somehow, but I don't see any easy way to rewrite the code to avoid
preemptive context switches that could screw up the
