cnst [cnst.su] writes:
Bob Beck — OpenBSD, OpenSSH and
LibreSSL [libressl.org] developer and the director of Alberta-based non-profit
OpenBSD Foundation [openbsdfoundation.org] — gave
a talk earlier today at BSDCan 2014 in Ottawa [bsdcan.org], discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original,
providing [openbsd.org] for a drop-in replacement, without
the #ifdef spaghetti [openbsd.org] and without its own "OpenSSL C" dialect.
Bob is claiming that the Maryland-incorporated OpenSSL Foundation
is nothing but a for-profit front [openbsd.org] for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs
rotting in bug-tracking for a staggering 4 years [openbsd.org] (
CVE-2010-5298 [mitre.org] has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).
Bob reports that the bug-tracking system abandoned by OpenSSL
has actually been very useful [openbsd.org] to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.
It is revealed that
a lot of crude cleaning has already been completed [openbsd.org], and the process is still ongoing, but some
new ciphers [openbsd.org] already saw their addition to LibreSSL —
RFC 5639 EC Brainpool [bxr.su],
ChaCha20 [bxr.su],
Poly1305 [bxr.su], FRP256v1, and some derivatives based on the above, like
ChaCha20-Poly1305 AEAD EVP [bxr.su] from Adam Langley's Chromium OpenSSL patchset.
To conclude, Bob
warns against portable LibreSSL knockoffs [openbsd.org], and
asks the community for Funding Commitment [openbsd.org] — Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the
OpenBSD Foundation [openbsdfoundation.org].
Original Submission