On Sat, Dec 14, 2013 at 03:34:03PM +0100, Kurt Roeckx wrote:
> > >
> > > I wouldn't bother trying to get those to stable if I didn't think
> > > they were important.
> >
> > So can someone please do something about this request?
>
> Ping?
This bug is now almost open for 5 months. There are basicly 2
very easy changes:
1) Add enable-ec_nistp_64_gcc_128 to Configure on *-amd64
This makes the nistp curves used in for instance ECDHE costant
time. Being costant time is important for security since it
avoid side channel timing attacks. Those allow you to recover
the private key based on the timing of the response.
2) Enable assembler on arm. That is replace ${no_asm} with
${armv4_asm}.
This improves the performace on arm.
Both those changes have been very well tested and are in unstable
and testing for almost 8 months.
In the mean time there has been a new upstream release containing
important bug fixes. You can argue about some of the changes
upstream made in the stable branch, but they consider those
changes to be impotant enough to put it in the stable branch.
One of the changes is to stop putting a timestamp in server/client
hello and instead put something random there like it's supposed to
be, which breaks tlsdate.
I would like to get a lot of those changes, in the order
of 20 or 30 patches, in stable. But I would actually prefer to
just get the new upstream version in stable instead.
Kurt
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
