Skip to main content

Topic: How about LibreSSL? (Read 1925 times)

  • jasonliul
  • [*][*]
How about LibreSSL?
LibreSSL
http://www.libressl.org/

Download
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

Primary development occurs inside the OpenBSD source tree with the usual care the project is known for. On a regular basis the code is re-packaged for portable use by other operating systems (Linux, FreeBSD, Solaris, etc).
Fortuna fortes juvat.

  • Emdek
  • [*][*][*][*][*]
  • Moderator
Re: How about LibreSSL?
Reply #1
Nah, no real  advantages, high risk of issues (first of all, would it work at all with Qt under Windows?).
It may be revisited in future, when it will become mature.
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

  • jasonliul
  • [*][*]
Re: How about LibreSSL?
Reply #2
Understood.
:happy:
Fortuna fortes juvat.

Re: How about LibreSSL?
Reply #3
To make Otter attractive to security-concerned folks, I think, a lean and well-documented cryptography library should be used. OpenSSL was apparently an early implementation that got patched again and again until it became unmaintainable, underdocumented and hard to use correctly. I would suggest to look at <a href="https://polarssl.org/">PolarSSL[/url]. It seems to care about documentation, which is essential for developers, lest such a critical component is used the wrong way. Unlike LibreSSL, it is already a solid library, that was <a href="https://polarssl.org/tech-updates/blog/providing-assurance-and-trust-in-polarssl">not affected[/url] by Heartbleed back then and receives constant maintenance. The project recently became <a href="https://polarssl.org/tech-updates/blog/polarssl-part-of-arm">part of ARM[/url].

I think, using a properly documented crypto library is crucial to feel confident about Otter. I would even go as far as mandating special developer's documentation for that part of Otter. That would allow more eyes to look at it in an informed way. Not sure what Qt requires cryto-wise, though. But this is definitely an area were the code should be written so clear, that its obvious correctness can be seen. A lot of software seems to do it wrong by presenting itself as so complicated, that the eye merely cannot find any obvious incorrectness. This should be avoided.

  • Emdek
  • [*][*][*][*][*]
  • Moderator
Re: How about LibreSSL?
Reply #4
@4r3a9n8d2o7m8, I don't think that we have much choice in case of SSL but we have for other use cases (like encrypting passwords etc.).
So far the best option seems to be gcrypt (OpenSSL is definitely not suitable for direct use, as it requires exceptions in license headers etc.).
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

  • mulander
  • [*]
Re: How about LibreSSL?
Reply #5
Nah, no real  advantages, high risk of issues (first of all, would it work at all with Qt under Windows?).
It may be revisited in future, when it will become mature.







It's worth to note that Otter is already using LibreSSL in our official OpenBSD packages (both in beta 4 & beta 5) without any issues so far.
That was of course not the case when Emdek wrote that reply as the port was published on 25th January.


  • jasonliul
  • [*][*]
Re: How about LibreSSL?
Reply #6
 :devil:

Still, who knows LibreSSL really full support windows?
Fortuna fortes juvat.