From owner-freebsd-security@FreeBSD.ORG  Mon Sep  9 12:35:05 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 85343B11
 for <freebsd-security@freebsd.org>; Mon,  9 Sep 2013 12:35:05 +0000 (UTC)
 (envelope-from jonathan@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7033720F3;
 Mon,  9 Sep 2013 12:35:05 +0000 (UTC)
Received: from [::100:0:0:0] (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r89CZ2e8005950;
 Mon, 9 Sep 2013 12:35:03 GMT (envelope-from jonathan@FreeBSD.org)
Date: Mon, 9 Sep 2013 13:35:09 +0100
From: Jonathan Anderson <jonathan@FreeBSD.org>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Message-ID: <818FF794501044729A8936F009CF1B5F@FreeBSD.org>
In-Reply-To: <95933.1378712057@critter.freebsd.dk>
References: <20130909144142.J99094@sola.nimnet.asn.au>
 <94943.1378706943@critter.freebsd.dk>
 <0EEF6678B3EEC94B9AE44705DF224D023D48BF92@G9W0725.americas.hpqcorp.net>
 <95933.1378712057@critter.freebsd.dk>
Subject: Re: Anything in this story of concern?
X-Mailer: sparrow 1.6.4 (build 1176)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: "=?utf-8?Q?freebsd-security=40freebsd.org?="
 <freebsd-security@freebsd.org>,
 =?utf-8?Q?Koornstra=2C_Reinoud?= <koornstra@hp.com>,
 Ian Smith <smithi@nimnet.asn.au>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 12:35:05 -0000

On Monday, 9 September 2013 at 08:34, Poul-Henning Kamp wrote:
> And BTW: That XXX comment is 10 years old.
> 
> No, I say with conviction, based on personal inspection and experience,
> that OpenSSL is crap.
> 
> And as Garrett Wollman correctly pointed out on twitter: It remains
> yet to be seen if any implementation of SSL/TLS can be non-crap,
> given that they are stuck with X.509.


And you're stuck with the old, vulnerable OpenSSL in your BMC, that old router you've never gotten around to replacing, etc. I'm no fan of the OpenSSL API either, but it is possible to fix vulnerabilities when they arise; the much bigger problem is the set of vulnerabilities that you can't patch.


Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org