Crypto overhaul
    Ben Laurie 
    ben at links.org
       
    Mon Oct 30 23:48:20 UTC 2017
    
    
  
On 29 October 2017 at 15:17, Eric McCorkle <eric at metricspace.net> wrote:
> On 10/29/2017 09:46, bf wrote:
>> On 10/29/17, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>>> --------
>>> In message <df46aaa5-13a9-2fc6-bcd2-d57d792800eb at metricspace.net>, Eric
>>> McCorkl
>>> e writes:
>>>> On 10/28/2017 09:15, Poul-Henning Kamp wrote:
>>>>> --------
>>>>> In message <20171028123132.GF96685 at kduck.kaduk.org>, Benjamin Kaduk
>>>>> writes:
>>>>>
>>>>>> I would say that the 1.1.x series is less bad, especially on the last
>>>>>> count,
>>>>>> but don't know how much you've looked at the differences in the new
>>>>>> branch.
>>>>>
>>>>> While "less bad" is certainly a laudable goal for OpenSSL, I hope
>>>>> FreeBSD has higher ambitions.
>>>>>
>>>>
>>>> I'm curious about your thoughts on LibreSSL as a possible option.
>>>
>>> It retains the horrible APIs, so the potential improvement is finite.
>>>
>>
>> OpenBSD started the task of making OpenSSL easier to use by adding
>> things like libtls
>>
>> (see  https://man.openbsd.org/tls_init )
>>
>> on top of their backwards-compatible libssl.  There are similar
>> efforts in other libraries like NaCl and its forks, such as libsodium
>> ( cf. https://nacl.cr.yp.to/features.html and
>> https://www.gitbook.com/book/jedisct1/libsodium/details ).  Are these
>> the kind of changes you are suggesting?
>
> I know the LibreSSL roadmap includes more plans to improve the API
> design to make it more usable.
>
> Overall, I think LibreSSL is the best option, though there needs to be
> some investigation into how easily it can be used for kernel and
> boot-loader purposes.  Things like libsodium are too narrow in their
> focus, and BearSSL is too new.
>
> Plus the fact that LibreSSL originates from one of the BSDs and has its
> backing is a significant advantage, I think.
Mostly it originates from OpenSSL. :-)
_______________________________________________
freebsd-security at freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
    
    
More information about the freebsd-hackers
mailing list