1. 35
    1. 3

      I have two questions:

      • Is LibreSSL immune?
      • How can I quickly answer this class of question?
      1. 13

        So of 8 #openssl things forthcoming, all but two low severity ones were already
        fixed in #libressl - You won’t need to patch #libressl today

        – @bob_beck


      2. 1

        I doubt libressl still supports sslv2…

        1. 3

          I doubt it, too, but I’d love a quick way to know that doesn’t involve me either reading source or following the mailing list.

          1. 2

            Alas, there’s no easy way to tell exactly what has been removed or changed in LibreSSL. We could maintain such a list, but I think the project is more than the sum of our differences, so focusing on a bullet point list is the wrong approach.

      3. 1

        Looks like the wikipedia page has been updated1 to include what was known before this announcement. I wonder how long before it gets updated to current info…. Of course don’t forget that anyone can edit wikipedia, so take it with a grain of salt.

    2. 3

      The standout here is that if you reuse keys (eg between email & web servers), an attacker can use an email server that supports sslv2 to decrypt web traffic that uses modern crypto.

    3. 1

      Seems my personal site is fine according to the checker. I’ll keep an eye on it just to be sure though.