Upcoming OpenSSL 1.1.0 release
Kevin Oberman
rkoberman at gmail.com
Tue Aug 23 20:39:33 UTC 2016
On Tue, Aug 23, 2016 at 12:54 PM, Matt Smith via freebsd-ports <
freebsd-ports at freebsd.org> wrote:
> On Aug 23 12:19, Roger Marquis wrote:
>
>> Matt Smith wrote:
>>
>>> Going slightly off-topic, I'm curious what the opinion is around this
>>> and LibreSSL.
>>>
>>
>> My organization evaluated this a few months ago and after a few diffs
>> and code reviews decided that libressl was the future. We updated
>> poudriere and all make.confs, removed openssl, installed libressl and
>> have had no issues. We did the same with openntp a few months earlier
>> and recommend both for any installation that needs good security.
>>
>> Roger
>>
>
> I have been running libressl-devel for the past few months and other than
> having to manually patch a few ports to get them to compile have also had
> no problems. However this was the case a few months ago. My questioning is
> specifically related to the upcoming OpenSSL 1.1 which in theory has had a
> lot of work done to it by a full-time paid team of developers. In fact it
> was meant to be released back in May but was delayed specifically so that
> they could squash all remaining bugs. It would be interesting if somebody
> could audit the changes to see how it compares to LibreSSL after it's
> released. There is a possibility that it may actually be the better path
> going forward.
>
>
> --
> Matt
>
I think OpenSSL is the way to go at this time. I have great faith in the
skills of the people who work on LibreSSL, but they are very, very
conservative on things like new algorithms and will likely lag behind
OpenSSL for this reason. This will mean incompatibilities with some new
applications which will force the use of OpenSSL. Then you get into ugly
issues with multiple shareable libraries that will create conflicts that,
in Windows-land are referred to as "DLL hell". Having spent too much time
there, once as a result of a mix of tools build with the base system
OpenSSL and and ports OpenSSL.
Also, even now (or last I looked) there are API incompatibilities between
the two as LibreSSL chose not to implement some functions in OpenSSL which
can force the use of OpenSSL, at least for some ports.
There is no "right" answer to this. ATM, OpenSSL looks like the bast
choice to me and that is what I use. Depending on the on-going level of
support for the two libraries, this may change, but it will be a problem
for the foreseeable future. Ya pays your money and takes yer chances,
unless you can bankroll support for one or the other by programmers
competent in not only coding, but cryptography. Those folks are few in
number and way beyond the budget of most of us.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
More information about the freebsd-ports
mailing list