I think any complex software is going to contain bugs - at least this one you know what happened & folks could patch/resolve the issue themselves if urgent enough. I am not saying anything about PolarSSL (I am not familiar with the product in any way). But better the devil you know....
------------------------------------------------------------------------ On 04/10/2014 03:17 PM, Stephan Fabel wrote: > Question: given this issue, would anyone recommend switching SSL > libraries?What about PolarSSL, for example? > > -Stephan > > > On 04/07/2014 10:41 AM, Phil Pennock wrote: >> If you're running OpenSSL 1.0.1 in any Internet-facing services, then >> you'll want to: >> >> (1) Read the advisories >> (2) Deploy emergency updates (either 1.0.1g or with heartbeats disabled) >> (3) Figure out if you want to do key/cert rotation on assumption of >> compromise >> >> Short version: length-checking flaw in TLS Heartbeats allows for 64kB of >> memory disclosure, and the researchers have proven that they can use >> this to exfiltrate the certificate's private key, and that this leaves >> no audit log. Affects all releases of OpenSSL 1.0.1 prior to today's >> "g" release. >> >> http://www.openssl.org/news/vulnerabilities.html#2014-0160 >> http://heartbleed.com/ >> >> -Phil >> >> >> _______________________________________________ >> Tech mailing list >> [email protected] >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ > > > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
