On Thu, Jan 7, 2016 at 11:58 AM, Jan Ehrhardt <php...@ehrhardt.nl> wrote: > Anthony Ferrara in php.internals (Thu, 7 Jan 2016 11:30:14 -0500): >>I agree with you in principle, but in this particular case I think >>that there's enough justification considering how measurably bad >>mcrypt is, and how little some people trust openssl. > > OTH, OpenSSL has made progress and the quality is improving as far as I > can tell as a bystander. > -- > Jan > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
Their cipher implementations are OK. Their userspace "CS"PRNG needs to be [any violent metaphor for "deleted" here] in favor of using the kernel's. Then again, LibreSSL is also guilty of this. BoringSSL does it right. Their certificate validation code, last I checked, is the stuff of nightmares. I recall an 800+ line C function. (Have fun auditing that!) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
