1. 35

  2. 3

    I have two questions:

    • Is LibreSSL immune?
    • How can I quickly answer this class of question?
    1. 13

      So of 8 #openssl things forthcoming, all but two low severity ones were already
      fixed in #libressl - You won’t need to patch #libressl today

      – @bob_beck


      1. 1

        I doubt libressl still supports sslv2…

        1. 3

          I doubt it, too, but I’d love a quick way to know that doesn’t involve me either reading source or following the mailing list.

          1. 2

            Alas, there’s no easy way to tell exactly what has been removed or changed in LibreSSL. We could maintain such a list, but I think the project is more than the sum of our differences, so focusing on a bullet point list is the wrong approach.

        2. 1

          Looks like the wikipedia page has been updated1 to include what was known before this announcement. I wonder how long before it gets updated to current info…. Of course don’t forget that anyone can edit wikipedia, so take it with a grain of salt.

        3. 3

          The standout here is that if you reuse keys (eg between email & web servers), an attacker can use an email server that supports sslv2 to decrypt web traffic that uses modern crypto.

          1. 1

            Seems my personal site is fine according to the checker. I’ll keep an eye on it just to be sure though.