It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror.
libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD.
This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.
Related Stories
Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.
Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).
Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.
It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.
To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.
Google is releasing its own independently developed fork of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks.
The unveiling of BoringSSL, as the Google fork has been dubbed, means there will be three separate versions of OpenSSL, which is best known for implementing the secure socket layer and transport layer security protocols on an estimated 500,000 websites. Developers of the OpenBSD operating system took the wraps off LibreSSL a few weeks after the surfacing of Heartbleed. Google is taking pains to ensure BoringSSL won't unnecessarily compete or interfere with either of those independent projects. Among other things, the company will continue to back the Core Infrastructure Initiative, which is providing $100,000 in funding for two full-time OpenSSL developers so the organization can refurbish its badly aging code base.
Why Google should choose to go this route has been discussed on HackerNews.
(Score: 5, Informative) by NCommander on Saturday July 12 2014, @03:20AM
I've been following OpenSSL rampage [opensslrampage.org] to get an idea the sort of crud they're ripping out of OpenSSL. I knew that code base was ugly, but I never quite realized how badly the braindamage is. There is a pretty good presentation about libreSSL, its genesis, and the internal ugliness that is stock OpenSSL. I'm looking forward to when the vast majority of the distros have migrated away from OpenSSL.
Long live LibreSSL!
Still always moving
(Score: 2) by kaszz on Saturday July 12 2014, @03:33AM
Sounds good. :bravo:
Theo will likely use the benevolent bugswatter *smash* away any norty bugs from inferior beings ;)
(Score: 2) by gallondr00nk on Saturday July 12 2014, @08:35AM
For those interested, I believe it's this presentation at BSDCan 2014 - LibreSSL with Bob Beck [youtube.com]
(Score: 1) by DeKO on Saturday July 12 2014, @11:29PM
Thanks for that link. The Rampage website is as amusing as thedailywtf. I just learned a new anti-pattern to terrorize coworkers: ifdowhile.
(Score: 2) by maxwell demon on Sunday July 13 2014, @12:28AM
For even better effect, I suggest to use doifwhile instead. As added bonus, it also stresses the compiler's optimizer:
SCNR :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday July 12 2014, @03:29AM
3.9p1 < 4.6
Consumer culture has trained me to be a lazy freeloader. Give me free stuff, Internet!
(Score: 2) by frojack on Saturday July 12 2014, @05:38AM
I wonder if this is aimed at the Joe User, or software developers.
Is this something that is drop in compatible with existing SSL libraries?
How moch software out there relies on the detritus they excised?
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by Anonymous Coward on Saturday July 12 2014, @05:47AM
Yes, it's a drop-in replacement. I just overwrote openssl with libressl today and I haven't found a single piece of software that breaks.
(Score: 2) by kaszz on Saturday July 12 2014, @06:41AM
Neat!
That should mean that the API has an alright design?
(Score: 2, Interesting) by Anonymous Coward on Saturday July 12 2014, @07:30AM
No, it still sucks. API compatibility is there to embrace OpenSSL. Then comes the time to extend it with a proper API. Finally OpenSSL will be extinguished and salt sown all over its lands.
(Score: 3, Funny) by maxwell demon on Saturday July 12 2014, @11:56AM
Wait ... you're not speaking about Microsoft, are you? :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by tibman on Monday July 14 2014, @02:03PM
Just read a good article about replacing openSSL with libreSSL: https://blog.hboeck.de/archives/851-LibreSSL-on-Gentoo.html [hboeck.de]
Still not exactly aimed at Joe User but you could use this guys work to get libreSSL up. He also talks about various programs that had to be altered or tricked to work with the new ssl library.
SN won't survive on lurkers alone. Write comments.
(Score: 3, Funny) by albert on Saturday July 12 2014, @08:23AM
That was a link to the donations page. OK, so if I donate... I get a pick a platform? Sweet. Oh, maybe we should put it up for a vote here. Well, I have ideas!
* System III UNIX, using the STREAMS network API
* DOSRMX, with the insane 48-bit segment:offset addressing
* FreeRTOS running on the Intel 8052, making good use of the 256 bytes of RAM
I wonder if they'd mind keeping a log of the curse words they invent.
(Score: 2) by KritonK on Monday July 14 2014, @09:31AM
I just compiled libressl under CentOS 6, and got a few warnings. After the kind of cleanup that openssl underwent, I'd have expected not to get any warnings at all.
(Score: 0) by Anonymous Coward on Monday July 14 2014, @11:30AM
You mean like the Debian guys did with OpenSSL? https://en.wikipedia.org/wiki/Openssl#Predictable_keys_.28Debian-specific.29 [wikipedia.org]