Contributed by weerd on from the simply-secure-libressl dept.
Earlier today, Doug Hogan (doug@) committed the first parts of the removal of SSLv3 support from LibreSSL:
Log message: Remove SSLv3 support from LibreSSL.
This is the first wave of SSLv3 removal which removes the main SSLv3 functions. Future commits will remove the rest of the SSLv3 support. Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@, sthen@, naddy@, and deraadt@. ok jsing@, beck@
This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software eco-system will benefit. In short: you know what to do!
Thanks to Doug and the other LibreSSL developers for furthering the security of not only OpenBSD users!
(Comments are closed)