On Tue, 29 Apr 2014, Steven Chamberlain wrote:
On Mon, 28 Apr 2014 16:52:10 + (UTC), daThorsten Glaser wrote:
For their OpenSSL fork, specifically, they rely on some system
properties such as their RNG’s behaviour way too much [...]
I would think Linux and FreeBSD have much better
On 04/21/2014 02:07 AM, Steven Chamberlain wrote:
OpenBSD developers are extensively cleaning up OpenSSL 1.0.1g
I'm not so sure if cleaning-up really means removing 90k lines of code
without extensive checks. I'd very much prefer some unit tests added to
the current code base, or a *long* audit
previously on this list Thomas Goirand contributed:
OpenBSD developers are extensively cleaning up OpenSSL 1.0.1g
I'm not so sure if cleaning-up really means removing 90k lines of code
without extensive checks. I'd very much prefer some unit tests added to
the current code base, or a
On Mon, 28 Apr 2014 16:52:10 + (UTC), daThorsten Glaser wrote:
For their OpenSSL fork, specifically, they rely on some system
properties such as their RNG’s behaviour way too much [...]
I would think Linux and FreeBSD have much better PRNGs now than what has
been done until now in OpenSSL.
Here's a good catch I think:
http://freshbsd.org/commit/openbsd/b6c83fa20a2269dadd0a9a73049813c75c2bcbbb
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disables a workaround for the
weakness described in https://www.openssl.org/~bodo/tls-cbc.txt which, I
think, was exploited by the BEAST attack ~9 years
Kurt Roeckx kurt at roeckx.be writes:
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
1.0.1g.
One of the problems with anything from OpenBSD is that they only
care about OpenBSD, and if you want to
Steven Chamberlain steven at pyro.eu.org writes:
I'd say the code still looks quite 'portable' in that it is ANSI C and
isn't using kernel-specific features. arc4random is just a library
routine from their libc and I see no reason it can't be borrowed.
No, it’s more.
And after sysctl() got
On Mon, Apr 21, 2014 at 02:38:52AM +0100, Steven Chamberlain wrote:
They've ripped out this whole PRNG now to use the one from their own libc:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/rand/rand_lib.c.diff?r1=1.14;r2=1.15
And I think just a change like that might work
On Mon, Apr 21, 2014 at 12:34:12AM +0100, Kevin Chadwick wrote:
previously on this list people contributed:
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
Hi,
But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
1.0.1g.
One of the
On Mon, 21 Apr 2014 10:55:36 +0200
Kurt Roeckx wrote:
I'm not sure what you're trying to say here. But look at the
example of the random number generator in my other e-mail. I've
seen other cases were they do things like that. And I can
perfectly understand why they do it, and then
On 21/04/14 09:21, Kurt Roeckx wrote:
OpenBSD also replaced RC4 with ChaCha20, while Linux probably still
uses RC4. We should stop using RC4.
I figured OpenSSH must be already using arc4random, and sure enough it
seems to bundle an implementation of ChaCha already:
Heya,
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
I wonder if this might result in an alternate SSL/TLS library we could
use in Debian?
Probably - but I think there is enough time left for jessie that we
don't need to jump to conclusion already and can watch this unfold
On Apr 20, Steven Chamberlain ste...@pyro.eu.org wrote:
I wonder if this might result in an alternate SSL/TLS library we could
use in Debian?
Let's see next year how much the OpenBSD thing will be:
- portable
- interoperable
- gaining new features
They are removing things like FIPS support
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
Hi,
But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
1.0.1g.
One of the problems with anything from OpenBSD is that they only
care about OpenBSD, and if you want to use that fork you'll
actually have to
previously on this list people contributed:
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
Hi,
But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
1.0.1g.
One of the problems with anything from OpenBSD is that they only
care about OpenBSD, and
I agree it's not going to be portable in the near term, though there are
interesting changes being made and good code review happening.
Some dubious entropy sources were (only potentially?) used with
RAND_seed/add:
digests:
16 matches
Mail list logo
