DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th April 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default Please Put OpenSSL Out of Its Misery

From http://queue.acm.org/detail.cfm?id=2602816 an analysis by FreeBSD and Varnish developer Poul-Henning Kamp:

Quote:
OpenSSL must die, for it will never get any better.

Poul-Henning Kamp

The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug — which allowed pretty much anybody to retrieve internal state to which they should normally not have access — has been fixed.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 16th April 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
 
Join Date: Apr 2009
Location: California
Posts: 163
Default OpenBSD has started a massive strip-down and cleanup of OpenSSL

Quote:
Originally Posted by J65nko View Post
From http://queue.acm.org/detail.cfm?id=2602816 an analysis by FreeBSD and Varnish developer Poul-Henning Kamp:
Quote:
OpenSSL must die, for it will never get any better.
...
OpenBSD always gets blamed for OpenSSL and so apparently they decided to try and clean up the mess.


http://www.undeadly.org/cgi?action=a...&mode=expanded

http://www.undeadly.org/

Last edited by comet--berkeley; 16th April 2014 at 09:35 PM. Reason: fix url
Reply With Quote
  #3   (View Single Post)  
Old 17th April 2014
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 335
Default

Quote:
Originally Posted by comet--berkeley View Post
OpenBSD always gets blamed for OpenSSL and so apparently they decided to try and clean up the mess.
Pardon my ignorance, but what exactly is the relation between the two? All I've found is that two members of the core team - Ben Laurie and Ralf Engelschall - are also FreeBSD committers, among many other things.

The only mention of "BSD" in anything related to OpenSSL, is its 4-clause BSD License.
__________________
May the source be with you!
Reply With Quote
  #4   (View Single Post)  
Old 17th April 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by Beastie View Post
Pardon my ignorance, but what exactly is the relation between the two?
None. Because the names "OpenSSL" & "OpenBSD" both start with the moniker "Open", many equate the two as coming from the same set of developers. They do not.

However, as comet-berkeley has linked, the OpenBSD developers have taken on the task of correcting all of the ills of OpenSSL found in OpenBSD. Rapid & frequent changes are now being checked into OpenBSD's CVS repository chopping out all kinds of cruft.
Reply With Quote
  #5   (View Single Post)  
Old 17th April 2014
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 335
Default

Thanks for clarifying that, ocicat. That's what I suspected.

I've read about this overhaul by the OpenBSD team yesterday. It's definitely good considering how bad things are. I hope the changes get accepted upstream, and if they don't, I hope 1) it doesn't become a fork that is too much of a burden for the OpenBSD project to maintain and 2) it doesn't deviate too much that it becomes incompatible with all the software that rely on this particular implementation.
__________________
May the source be with you!
Reply With Quote
  #6   (View Single Post)  
Old 18th April 2014
censored censored is offline
Swen Tnavelerri
 
Join Date: Jan 2014
Posts: 45
Default PolarSSL

Has anyone here used polarSSL? It's said to be much cleaner, code-wise, but I haven't looked at it myself, other than to change a couple lines to compile it together with curl. It seemed to work OK on my cursory looksee, and It's dual licensed, commercial and gpl2. There are other alternatives, but I suspect some are problematic license wise...
Reply With Quote
  #7   (View Single Post)  
Old 18th April 2014
censored censored is offline
Swen Tnavelerri
 
Join Date: Jan 2014
Posts: 45
Default

I have to agree with phk about the certificate system. The current system of certificates seems ridiculously akin to stealing candy from babies...

The banks just keep on paying ($billions) because they're stll able to eek out a profit post exploit-madness. Tell's you how high the profits are...
Reply With Quote
  #8   (View Single Post)  
Old 22nd April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default NEWS: An official fork of OpenSSL

We have three threads now for the Heartbleed bug. This, that, and the other. I had a choice where to post this, so I picked this thread as it is one of the ones in the News subforum. I am not inclined to start a fourth thread.

LibreSSL is the name of the OpenBSD Project's official fork of OpenSSL.

You can follow the development via the fork's website, freshmeat.org, or opensslrampage.org.

Last edited by jggimi; 22nd April 2014 at 05:38 PM. Reason: link, clarity
Reply With Quote
  #9   (View Single Post)  
Old 22nd April 2014
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: France
Posts: 405
Default

I love the LibreSSL webpage :
Quote:
This page scientifically designed to annoy web hipsters.
__________________
ThinkPad W500 P8700 6GB HD3650 - faultry
ThinkStation P700 2x2620v3 32GB 1050ti 3xSSD 1xHDD
Reply With Quote
Old 24th April 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Arstechnic has an article about LibreSSL :
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 24th April 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Here's what I posted in the Ars comments section a few days ago:


The whole "we don't get enough donations to code properly"-excuse is, quite honestly, a pile of horseshit.
No one demanded the heartbeat extension, there was no deadline, and few people used even when it was implemented. The OpenSSL people obviously had a choice how to implement this. They chose to implement it badly. Using it as an excuse now only serves to highlight their complete lack of responsibility & cognitive dissonance.

Perhaps the lack of documentation, code quality can, at least *in part* be attributed to the lack of donations, but to me it seems that the OpenSSL people are just churning along code, fairly happy with the status quo. There has, for example, never been an OpenSSL fundraiser. You can't just expect people to start knocking at at your door asking you to please take their money.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 25th April 2014
guitarfreak guitarfreak is offline
Port Guard
 
Join Date: Apr 2014
Posts: 10
Default

Just thought I would mention that The Register had a rather nice write up of the fork - http://www.theregister.co.uk/2014/04...fork_libressl/

I thought their (actually somewhat critically honest) write up of the effort to pump cash into OpenSSL had an interesting quote at the end:
Quote:
The precise amount of funding was not disclosed. This looks to be a better initiative than a scheme started by security startup Bugcrowd to get more than $100,000 in donations to financially reward infosec professionals for closing other OpenSSL bugs. At the time of writing Bugcrowd's scheme had raised a little under $8,000. Meanwhile, OpenBSD has been busy forking OpenSSL into LibreSSL and tidying it up. ®
http://www.theregister.co.uk/2014/04...nfrastructure/

It's nice to see a major news site echo Carpetsmoker's sentiment rather than just go with corporate line that throwing money at OpenSSL will make everything better, which a lot of prominent sites (Ars *cough cough*) are embracing to a large extent.

Last edited by guitarfreak; 25th April 2014 at 05:27 AM. Reason: typo
Reply With Quote
Old 25th April 2014
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

Just one nit I have with this article (and they certainly aren't alone in this).

In college I had a couple friends who were devout muslims. Every time they said Allah they had to also say peace be upon him. It's like the tech. press and the part of the free software crowd outside the BSDs have a similar, but of opposite sentiment, tic when invoking Theo's name. They can't do it, whatever the context, without an extra adjective or two about him being cantankerous (but usually it's less politely put). It's tiresome.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL challenge Ooonak OpenBSD Security 1 9th July 2012 02:47 PM
OpenSSL fixes DoS bug in recent bug fix J65nko News 0 20th January 2012 12:02 AM
Security Six security flaws fixed in OpenSSL J65nko News 0 6th January 2012 06:17 PM
New version of OpenSSL fixes two vulnerabilities J65nko News 0 9th December 2010 02:56 AM
OpenSSL updates fix vulnerabilities J65nko News 0 4th June 2010 12:48 PM


All times are GMT. The time now is 08:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick