On 08/19/2015 12:11 PM, Michael Grimm wrote:
On 19.08.2015, at 20:21, Michael Grimm <trash...@odo.in-berlin.de> wrote:
I will revert to OpenSSL my primary mx, first.
Done.
BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well.
Already fixed in unbound upstream, they (unbound) were doing an improper
version check if I recall instead of feature check. And the patch
removed checks specific to them doing something different if libressl
was found.
That bug wasn't the fault of LibreSSL but of unbound.
-=-
It's kind of a chicken and egg problem, if LibreSSL isn't recommended
because it isn't well tested then it will never be well tested.
But if it isn't recommended because of problems with LibreSSL itself
that's understandable, but I think at this point most of the bugs with
projects building against LibreSSL are actually exposing flaws in the
projects that weren't exposed with OpenSSL.
If there is any specific testing I can do, I would be happy to, I'm
running Postfix 2.11.6 built against LibreSSL 2.2.2 on CentOS 7 - but
for less than 48 hours now ;)
https://librelamp.com/#postfix
From the Postfix page on TLS
``You also turn on thousands and thousands of lines of OpenSSL library
code. Assuming that OpenSSL is written as carefully as Wietse's own
code, every 1000 lines introduce one additional bug into Postfix.''
We now know OpenSSL has not been written as carefully as Postfix.
LibreSSL removed a lot of needless code and has cleaned up a lot of what
was left.
