Compiling a better OpenSSL in light of heartbleed bug

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Compiling a better OpenSSL in light of heartbleed bug

Steven Kneizys
I am reading come conflicting advice out there about the state of the fix.  Some
folks want the official fix in now!  But from what I am reading it seems like we have
a patched version but that the problem isn't fully fixed.  I am trying to decide if
some of the unimplemented bug-fixes submitted are worth putting in at this time.

I made a little notebook for myself:

I am trying to figure out what extra things, if any, I should include in a compile.  Should I start with 1.0.1f and just disable heartbeats?  Or do that on 1.0.1g?  Is
the buffer release issue worth fixing while I am in there?  Any other critical things I should do?  Or just go with the 1.0.1g version for now to production while more

Of the unimplemented bug-fixes or issues outstanding, which should we be working on with the highest priority?

Thanks,

Steve...

--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396" target="_blank">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282" target="_blank">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.
Reply | Threaded
Open this post in threaded view
|

Re: Compiling a better OpenSSL in light of heartbleed bug

Viktor Dukhovni
On Thu, Apr 10, 2014 at 03:33:09PM -0400, Steven Kneizys wrote:

> But from what I am reading it seems like we have
> a patched version but that the problem isn't fully fixed.

The specific problem is fully fixed.  The ongoing discussion is
about structural improvements to the code to make similar issues
less likely or likely to have less impact in the future.

> I am trying to
> decide if
> some of the unimplemented bug-fixes submitted are worth putting in at this
> time.

You should probably wait.

> I am trying to figure out what extra things, if any, I should include in a
> compile.  Should I start with 1.0.1f and just disable heartbeats?

This is one option.

> Or do that on 1.0.1g?

Also an option, but not essential.

> Of the unimplemented bug-fixes or issues outstanding, which should we be
> working on with the highest priority?

There are no publically known outstanding high-urgency issues.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]