the Apple curl security incident 12604 | daniel.haxx.se
the Apple curl security incident 12604 | daniel.haxx.se
TL;DR? > The problem is strictly speaking not even in curl code. It comes with the version of LibreSSL that Apple ships and builds curl to use on their platforms.
But because they’re Apple (right next to the Pope, for infallibility), they know best; same old story, rinse’n’repeat.
Really liked their stuff back in the day. Now? It’s another walled garden they scrabble to maintain.
What day was it that you liked their stuff, and what made you stop?
LibreSSL is the fucking bane of my existence at work. So many issues caused by the keys it spits out vs others.
Anyone still using LibreSSL and not OpenSSL, has only themselves to blame. Or their company or whoever is forcing it on them.
Seems from the article that LibreSSL is fine, it's about Apple patches to it.
OpenBSD forked OpenSSL due to HeartBleed. OpenBSD developers are generally regarded as quite on top of their game when it comes to security, so why the "still using LibreSSL" FUD?
You can follow curl's lead developer on mastodon: @bagder@mastodon.social, seems like a very reasonable guy.