On Tue, 29 Apr 2014, Steven Chamberlain wrote:
> On Mon, 28 Apr 2014 16:52:10 + (UTC), daThorsten Glaser wrote:
> > For their OpenSSL fork, specifically, they rely on some system
> > properties such as their RNG’s behaviour way too much [...]
>
> I would think Linux and FreeBSD have much bett
Here's a good catch I think:
http://freshbsd.org/commit/openbsd/b6c83fa20a2269dadd0a9a73049813c75c2bcbbb
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disables a workaround for the
weakness described in https://www.openssl.org/~bodo/tls-cbc.txt which, I
think, was exploited by the BEAST attack ~9 years later
On Mon, 28 Apr 2014 16:52:10 + (UTC), daThorsten Glaser wrote:
> For their OpenSSL fork, specifically, they rely on some system
> properties such as their RNG’s behaviour way too much [...]
I would think Linux and FreeBSD have much better PRNGs now than what has
been done until now in OpenSSL.
previously on this list Thomas Goirand contributed:
> > OpenBSD developers are extensively cleaning up OpenSSL 1.0.1g
>
> I'm not so sure if "cleaning-up" really means removing 90k lines of code
> without extensive checks. I'd very much prefer some unit tests added to
> the current code base, o
On 04/21/2014 02:07 AM, Steven Chamberlain wrote:
> OpenBSD developers are extensively cleaning up OpenSSL 1.0.1g
I'm not so sure if "cleaning-up" really means removing 90k lines of code
without extensive checks. I'd very much prefer some unit tests added to
the current code base, or a *long* audi
Steven Chamberlain pyro.eu.org> writes:
> I'd say the code still looks quite 'portable' in that it is ANSI C and
> isn't using kernel-specific features. arc4random is just a library
> routine from their libc and I see no reason it can't be borrowed.
No, it’s more.
And after sysctl() got remove
Kurt Roeckx roeckx.be> writes:
> On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> > But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
> > 1.0.1g.
>
> One of the problems with anything from OpenBSD is that they only
> care about OpenBSD, and if you want t
On 21/04/14 09:21, Kurt Roeckx wrote:
> OpenBSD also replaced RC4 with ChaCha20, while Linux probably still
> uses RC4. We should stop using RC4.
I figured OpenSSH must be already using arc4random, and sure enough it
seems to bundle an implementation of ChaCha already:
http://sources.debian.net/s
On Mon, 21 Apr 2014 10:55:36 +0200
Kurt Roeckx wrote:
> > I'm not sure what you're trying to say here. But look at the
> > example of the random number generator in my other e-mail. I've
> > seen other cases were they do things like that. And I can
> > perfectly understand why they do it, and t
On Mon, Apr 21, 2014 at 12:34:12AM +0100, Kevin Chadwick wrote:
> previously on this list people contributed:
>
> > On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> > > Hi,
> > >
> > > But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
> > > 1.0.1g.
> >
>
On Mon, Apr 21, 2014 at 02:38:52AM +0100, Steven Chamberlain wrote:
>
> They've ripped out this whole PRNG now to use the one from their own libc:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/rand/rand_lib.c.diff?r1=1.14;r2=1.15
And I think just a change like that might wo
I agree it's not going to be portable in the near term, though there are
interesting changes being made and good code review happening.
Some dubious entropy sources were (only potentially?) used with
RAND_seed/add:
digests:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/dsa/dsa_a
previously on this list people contributed:
> On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> > Hi,
> >
> > But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
> > 1.0.1g.
>
> One of the problems with anything from OpenBSD is that they only
> care about Op
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> Hi,
>
> But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL
> 1.0.1g.
One of the problems with anything from OpenBSD is that they only
care about OpenBSD, and if you want to use that fork you'll
actually have
On Apr 20, Steven Chamberlain wrote:
> I wonder if this might result in an alternate SSL/TLS library we could
> use in Debian?
Let's see next year how much the OpenBSD thing will be:
- portable
- interoperable
- gaining new features
They are removing things like FIPS support which are vital for
Heya,
On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote:
> I wonder if this might result in an alternate SSL/TLS library we could
> use in Debian?
Probably - but I think there is enough time left for jessie that we
don't need to jump to conclusion already and can watch this unfol
16 matches
Mail list logo
