Slashdot Mirror

← Back to Stories (view on slashdot.org)

LibreSSL Unaffected By DROWN

Posted by timothy on from the waterproof dept.

serviscope_minor writes: The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not affected by the DROWN bug. LibreSSL is largely compatible with OpenSSL. The main exceptions are in the cases where programs use insecure functions removed from libreSSL, or require bug compatiblity with OpenSSL.

3 of 60 comments (clear)

  1. Same for BoringSSL by shawn2772 · · Score: 3, Informative

    BoringSSL is Google's internal fork of OpenSSL (though it's open source). It also removed all support for SSLv2 some time ago. Or, more accurately, it the SSLv2 implementation was never added to it.

    https://www.imperialviolet.org/2015/10/17/boringssl.html

    1. Re:Same for BoringSSL by shawn2772 · · Score: 3, Informative

      BoringSSL is Google's internal fork of OpenSSL (though it's open source). It also removed all support for SSLv2 some time ago. Or, more accurately, it the SSLv2 implementation was never added to it.

      I don't quite follow: if it was a fork it would have come with SSLv2 since OpenSSL comes with it. How can it have not been added in the first place?

      From the blog post that I linked:

      Generally when people say “forking” they mean that they took a copy of the code and started landing patches independently of the original source. That's not what we did with BoringSSL. Rather than start with a copy, I started with an empty directory and went through OpenSSL function-by-function, reformatting, cleaning up (sometimes discarding) and documenting each one.

      However, Adam did say that the SSL code was handled a bit differently, it was copied then incrementally improved, and the improvements included removing SSLv2 support. So my claim that SSLv2 was never added to BoringSSL was wrong. It was copied over from OpenSSL, then removed.

  2. Re:Why is this newsworthy? by bluefoxlucid · · Score: 1, Informative

    They don't produce better code. LibreSSL is not vulnerable because LibreSSL is OpenSSL with SSLv2 turned off; they just deleted a feature. You can't compile it in, whereas on OpenSSL you have the option to run without SSLv2.

    OpenBSD LibreSSL is largely OpenSSL, and the part that has the vulnerability was *removed* rather than fixed. You might as well say a fork of Firefox has better code because it has no JavaScript engine and thus isn't vulnerable to Spidermonkey bugs.

    --
    Support my political activism on Patreon.