1. 14
  1.  

  2. 1

    So why would the crypto community recommend against checking for them? The cost is essentially zero.

    And why is OpenSSL superior for fixing code nobody uses?

    1. 4

      …I don’t think that OpenSSL is being considered superior here.

      1. 1

        “The LibreSSL response? The #ifdefs and code in them have been deleted.

        The OpenSSL response? The code… that in 11 years had never been used… for a deprecated cipher… was fixed on Saturday, retaining the #ifdefs

        <drops mic; walks off stage>"

        They are trying to sound superior because they “fixed” the code rather than just deleting it.

        1. 10

          Philip Guenther, author of this email, is an OpenBSD and LibreSSL developer.

          I’m confused why everyone is confused - perhaps guenther@’s commit will clear that up. If not: Guenther & LibreSSL are trying to (rightly) sound superior to OpenSSL because the right decision is to yank never used code on a long dead cipher.

          As to GP:

          So why would the crypto community recommend against checking for them? The cost is essentially zero.

          DES has been broken in < 1 day in 2008. Who knows how fast we can do it today. You shouldn’t be generating new DES keys under any situation. Adding code to support it only adds more places for bugs to live.

          1. 5

            This was on the openbsd-tech mailing list. I don’t think OpenSSL is trying to sound anything, as they weren’t involved in the discussion.