OpenBSD Journal

Removal of SSLv3 from LibreSSL

Contributed by weerd on from the simply-secure-libressl dept.

Earlier today, Doug Hogan (doug@) committed the first parts of the removal of SSLv3 support from LibreSSL:

Log message:
Remove SSLv3 support from LibreSSL.
This is the first wave of SSLv3 removal which removes the main SSLv3
functions.  Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15.  Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software eco-system will benefit. In short: you know what to do!

Thanks to Doug and the other LibreSSL developers for furthering the security of not only OpenBSD users!

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]