On 10/30/2017 04:05, Julian Elischer wrote:> On 29/10/17 8:36 am, Eric McCorkle wrote: >> On 10/28/2017 09:15, Poul-Henning Kamp wrote: >>> -------- >>> In message <20171028123132.GF96685 at kduck.kaduk.org>, Benjamin Kaduk >>> writes: >>> >>>> I would say that the 1.1.x series is less bad, especially on the >>>> last count, >>>> but don't know how much you've looked at the differences in the new >>>> branch. >>> While "less bad" is certainly a laudable goal for OpenSSL, I hope >>> FreeBSD has higher ambitions. >>> >> I'm curious about your thoughts on LibreSSL as a possible option. > > what gives any evidence as to it being any better?At least as about its first year and a half, LibreSSL had a markedly better track record than OpenSSL (zero high-severity CVEs vs 5 from OpenSSL, about half as many mid- and low-security CVEs).
On 31 October 2017 at 11:48, Eric McCorkle <eric at metricspace.net> wrote:> On 10/30/2017 04:05, Julian Elischer wrote: >> On 29/10/17 8:36 am, Eric McCorkle wrote: >>> On 10/28/2017 09:15, Poul-Henning Kamp wrote: >>>> -------- >>>> In message <20171028123132.GF96685 at kduck.kaduk.org>, Benjamin Kaduk >>>> writes: >>>> >>>>> I would say that the 1.1.x series is less bad, especially on the >>>>> last count, >>>>> but don't know how much you've looked at the differences in the new >>>>> branch. >>>> While "less bad" is certainly a laudable goal for OpenSSL, I hope >>>> FreeBSD has higher ambitions. >>>> >>> I'm curious about your thoughts on LibreSSL as a possible option. >> >> what gives any evidence as to it being any better? > > At least as about its first year and a half, LibreSSL had a markedly > better track record than OpenSSL (zero high-severity CVEs vs 5 from > OpenSSL, about half as many mid- and low-security CVEs).Not getting CVEs doesn't mean not having the issues: https://marc.info/?l=openbsd-announce&m=140752800525709.
> At least as about its first year and a half, LibreSSL had a markedly > better track record than OpenSSL (zero high-severity CVEs vs 5 from > OpenSSL, about half as many mid- and low-security CVEs).Are any of these relevant to the crypto module? Or are they all only applicable to the SSL protocol? As I understand the discussion so far, the goal is to unify all the disparate crypto pieces in the base system. That could certainly be done using OpenSSLs libcrypto, and let users select their SSL provider from the ports tree. -spw