Hacker News new | past | comments | ask | show | jobs | submit login
LibreSSL on Gentoo (hboeck.de)
99 points by stefantalpalaru on July 12, 2014 | hide | past | favorite | 17 comments



The interaction between OpenSSH portable and LibreSSL portable is especially amusing.


The current source for OpenSSH no longer requires linking to (Open|Libre)SSL http://undeadly.org/cgi?action=article&sid=20140430045723


It sounds like there should be something like a libopenbsdcompat containing arc4random et al., which both these packages would then import+depend on.


Now that the glibc leadership changes have taken place, hopefully we can see functions like arc4random, explicit_bzero, timingsafe_bcmp, reallocarray and the other stuff actually appear in glibc where they belong, so no glue will be required.

They are pretty damn useful when you're trying to do secure programming.

(Of course, arc4random should use ChaCha20.)


the function name is arc4random but it's chacha20 http://marc.info/?l=openbsd-cvs&m=138065251627052&w=2


Indeed, that's my point: don't forget that the name is legacy and slightly misleading.

RC4 is about to get another public result against it, btw.


I think there recently was a proposal for reallocarray in glibc. Not sure what happened to it though.


There's libbsd for Linux, although I can't comment on the quality of its implementation.


libbsd and gnulib are pretty much just functions copy-pasted out of their original locations into conveniently organized repositories. There's not much to speak of concerning implementation quality.


FreeBSD already has it in ports:

http://www.freshports.org/security/libressl

And there is work underway to make it an option for things that use OpenSSL currently.


Only tangential to the article, but only now (via the link to the apache patch) did I realise it was libReSSL. Makes the name so much more interesting!


It was LibReSSL for a while, but it seems they changed it back to LibreSSL: http://www.libressl.org/


Did anyone else get a blue bar in the middle of the text while trying to read fr mobile?


Hello, I'm the owner of the blog, I have changed the blue bar now to be only in the header, should improve things and no longer get into the content.

I need to look into this in detail at some point, but for now it should be readable.


Another issue:

  The page at 'https://blog.hboeck.de/archives/851-LibreSSL-on-Gentoo.html' 
  was loaded over HTTPS, but displayed insecure content from 
  'http://vg07.met.vgwort.de/na/4f1f65b6b6e4419c97ea81e7d27cc0a0': 
  this content should also be loaded over HTTPS.


You'll see this often on sites that use CDNs to server images. Adding SSL to a CDN at levels used by smaller sites easily doubles the cost.


In that case that's a nasty tracker image by a german "writers collecting society"...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: