Re: [Cryptography] LibreSSL unaffected by DROWN
On 3/2/16, Viktor Dukhovni <cryptography@dukhovni.org> wrote:
OpenSSL 1.1.0 (days away from beta), which does break compatibility with 1.0.x, also removes SSLv2, and has many improvements that LibreSSL does not. Neither is strictly better, there are surely things that are better in LibreSSL than in OpenSSL 1.1.0.
Theo is an avid marketer, the reality is a bit more complex.
So then where is the link to an independant website which stays current and puts say Libre 2.2.[x] and Open 1.0.2[x] side by side in a feature / protocol / api review table?
On Wed, Mar 02, 2016 at 10:27:44PM -0500, grarpamp wrote:
Theo is an avid marketer, the reality is a bit more complex.
So then where is the link to an independant website which stays current and puts say Libre 2.2.[x] and Open 1.0.2[x] side by side in a feature / protocol / api review table?
Both share usage of a lot of if(0) {label:}, what C experts say about this? in libressl 2.3.2 (latest as of now) and openssl 1.0.1p (and probably later) in ssl/s3_clnt.c 984: if (CBS_len(&cert_list) < 3) goto truncated; 1657: if (0) { truncated: SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_BAD_PACKET_LENGTH); } Some more info on my blog: https://j.ludost.net/blog/archives/2016/03/02/literate_programming_in_c_if0/...
participants (2)
-
Georgi Guninski -
grarpamp