Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <ME0P300MB0713A46D3A408DA9AF20CF97EE802@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM>
Date: Thu, 15 Aug 2024 10:49:09 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: Neil Horman <nhorman@...nssl.org>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
Subject: Re: feedback requested regarding deprecation of TLS
 1.0/1.1

Hanno Böck <hanno@...eck.de> writes:

>My impression of OpenSSL is that it has a strong tendency to ship "bloat",
>i.e., features that either barely anyone needs, but that still get added (
>remember Heartbeat extension?), or that should've been deprecated long ago.

I think it's not so much the fault of OpenSSL per se but more that it ends up
as the universal guinea pig for anything a third party wants to play with.  I
don't know how many research papers I've read presenting some whiz-bang clever
idea that says something like "we modified OpenSSL x.yz to add ...".

One possible solution would be to have an experimental version of OpenSSL that
everyone can play with alongside the production version that minimises clever
ideas.

Peter.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.