LibreSSL not affected by DROWN attack
Predrag Punosevac
predragp at cs.cmu.edu
Wed Mar 2 10:48:44 EST 2016
Dear Autonians,
This is a pre-emptive as I am sure some of you would e-mail me as the
news about OpenSSL DROWN attack trickle down to user community. Our
perimeter firewall are largely unaffected by this exploit since we are
running or in the process of upgrading to the latest OpenBSD which
doesn't even use OpenSSL but rather its own 50% smaller version of
LibreSSL. I am considering switching our desktops from OpenVPN to
L2PT/IPSec as OpenVPN indeed heavily relies on OpenSSL and Linux
specific stuff and is indeed the "unsafest" part of our network. Finally
people who should be really concern about this are https users who use
SSLv2 (I am also in the process of switching our nginx proxies to relayd
for that very reason as the second one uses LibreSSL). SSLv2 protocol is
obsolete and should not be used. LibreSSL doesn't even have a support
for it anymore. Also current versions of OpenSSH contain no OpenSSL
related code.
Best,
Predrag
More information about the Autonlab-users
mailing list