# LibreSSL not affected by DROWN attack



## Oko (Mar 2, 2016)

One more reason for FreeBSD to make complete switch to LibreSSL. 

http://undeadly.org/cgi


----------



## protocelt (Mar 2, 2016)

I'm not sure that would be possible on FreeBSD 10 and older due to large consumers of FreeBSD but it would be great to see it happen for 11.0-RELEASE at least. 

BTW, base OpenSSL has been updated to 1.0.2g: r296273.

Further info on the vulnerability (CVE-2016-0800): https://www.openssl.org/news/secadv/20160301.txt


----------



## drhowarddrfine (Mar 2, 2016)

From what I read, it's only if you support SSLv2. But who does that? No one should be.

https://drownattack.com/


> A server is vulnerable to DROWN if:
> 
> 
> It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.
> ...


----------



## protocelt (Mar 2, 2016)

. If that many servers are still using SSLv2 I can't wait to see all the havoc created with this...


----------



## Oko (Mar 2, 2016)

drhowarddrfine said:


> From what I read, it's only if you support SSLv2. But who does that? No one should be.
> 
> https://drownattack.com/


The same people who complain that the first move of LibreSSL guys was to nuke 50% of useless/obsolite code. I can't believe that OpenBSD put with this crap for such a long time. I can't wait to see GCC, and GNU binutils nuked on OpenBSD even if that means that OpenBSD will be running only on modern architectures: amd64, arm, and mips64. I have personally got rid of all other retro hardware which has also contributed to improvements in my marriage .


----------



## gofer_touch (Mar 2, 2016)

It seems like the OpenBSD guys are also completely getting rid of their Linux compatibility layer. 

https://marc.info/?l=openbsd-tech&m=145658890316402&w=2


----------



## SirDice (Mar 2, 2016)

Oko said:


> I have personally got rid of all other retro hardware which has also contributed to improvements in my marriage .


It does wonders for your electricity bill too. Got rid of a lot of old stuff some time ago and replaced a couple of power supplies for modern, more efficient, versions. I think it cut my monthly electricity bill in half 

In any case, as protocelt already noted the base has been patched. And I see the security/openssl port has been updated too. It's going to be a busy day today.


----------



## Oko (Mar 2, 2016)

gofer_touch said:


> It seems like the OpenBSD guys are also completely getting rid of their Linux compatibility layer.
> 
> https://marc.info/?l=openbsd-tech&m=145658890316402&w=2


It is old news long time overdue IMHO. Free should follow suit.


----------



## zspider (Mar 2, 2016)

SirDice said:


> It does wonders for your electricity bill too. Got rid of a lot of old stuff some time ago and replaced a couple of power supplies for modern, more efficient, versions. I think it cut my monthly electricity bill in half
> 
> In any case, as protocelt already noted the base has been patched. And I see the security/openssl port has been updated too. It's going to be a busy day today.



Yeah I'm not buying any more vintage computers. Except for maintaining the three I have.



Oko said:


> It is old news long time overdue IMHO. Fee should follow suit.



I agree, it would motivate to make the software work natively.


----------



## kpedersen (Mar 3, 2016)

Oko said:


> It is old news long time overdue IMHO. Free should follow suit.



Unfortunately I am one of the very few people who used OpenBSD's Linux compat. I needed it for perforce :/
https://www.ibm.com/developerworks/community/blogs/karsten/entry/perforce_on_openbsd_5_5

Perforce has actually bothered to put out a native FreeBSD binary but their OpenBSD one is for version 2.x and no longer works.
I ended up having to look into GitFusion to make a git compatibility layer over the Perforce server. Luckily all the other developers preferred to use Git in the end anyway so I managed to remove Perforce entirely from our work pipeline. So perhaps removing Linux compatibility layers is a great way to remove reliance on closed-source software


----------



## Oko (Mar 3, 2016)

kpedersen said:


> Unfortunately I am one of the very few people who used OpenBSD's Linux compat. I needed it for perforce :/
> https://www.ibm.com/developerworks/community/blogs/karsten/entry/perforce_on_openbsd_5_5
> 
> Perforce has actually bothered to put out a native FreeBSD binary but their OpenBSD one is for version 2.x and no longer works.
> I ended up having to look into GitFusion to make a git compatibility layer over the Perforce server. Luckily all the other developers preferred to use Git in the end anyway so I managed to remove Perforce entirely from our work pipeline. So perhaps removing Linux compatibility layers is a great way to remove reliance on closed-source software


Unfortunately that is a tough one. Switching a version control system to accommodate OS usually is not an option as I learn to know all too well. There are still few Flash/Java based configuration tools for proprietary network devices which were working under Linux compatibility layer on OpenBSD. That was the last thing holding Linux comp on i386 for a very long time. It is just too much obsolete security ridden kernel code for what is worth.


----------



## beastDemian (Mar 5, 2016)

I can't wait to see FreeBSD switch. OpenSSL makes me more and more concerned everyday.
As I understand it, there is a patch to make SSL in base private. Once that is done and applied, SSL is removed from the FreeBSD API/ABI and the switch can be made. The main concern was that LibreSSL developers have a support lifecycle of 2 years as opposed to the 5 years of a typical FreeBSD branch. Once SSL is removed from the API, however, I understand the support lifecycle should not be an issue.


----------

