Em janeiro 30, 2017 1:05 Allan McRae escreveu:
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl. Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say is that it wasn't *every*[0] high/critical CVE that affected both libraries. And yes, I presume fix time will be somewhat worse than OpenSSL's, because it is a portable version of a library mainly focused on OpenBSD. As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1 way. Both will be hard, but I think in the end we would be better off using LibreSSL. Cheers, Giancarlo Razzolini [0] https://en.wikipedia.org/wiki/LibreSSL
pgp7Hh0gkrjCA.pgp
Description: PGP signature
