LibreSSL
http://www.libressl.org/

Download
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

Primary development occurs inside the OpenBSD source tree with the usual care the project is known for. On a regular basis the code is re-packaged for portable use by other operating systems (Linux, FreeBSD, Solaris, etc).

Nah, no real  advantages, high risk of issues (first of all, would it work at all with Qt under Windows?).
It may be revisited in future, when it will become mature.

Understood.

To make Otter attractive to security-concerned folks, I think, a lean and well-documented cryptography library should be used. OpenSSL was apparently an early implementation that got patched again and again until it became unmaintainable, underdocumented and hard to use correctly. I would suggest to look at <a href="https://polarssl.org/">PolarSSL[/url]. It seems to care about documentation, which is essential for developers, lest such a critical component is used the wrong way. Unlike LibreSSL, it is already a solid library, that was <a href="https://polarssl.org/tech-updates/blog/providing-assurance-and-trust-in-polarssl">not affected[/url] by Heartbleed back then and receives constant maintenance. The project recently became <a href="https://polarssl.org/tech-updates/blog/polarssl-part-of-arm">part of ARM[/url].

I think, using a properly documented crypto library is crucial to feel confident about Otter. I would even go as far as mandating special developer's documentation for that part of Otter. That would allow more eyes to look at it in an informed way. Not sure what Qt requires cryto-wise, though. But this is definitely an area were the code should be written so clear, that its obvious correctness can be seen. A lot of software seems to do it wrong by presenting itself as so complicated, that the eye merely cannot find any obvious incorrectness. This should be avoided.

@4r3a9n8d2o7m8, I don't think that we have much choice in case of SSL but we have for other use cases (like encrypting passwords etc.).
So far the best option seems to be gcrypt (OpenSSL is definitely not suitable for direct use, as it requires exceptions in license headers etc.).

Nah, no real  advantages, high risk of issues (first of all, would it work at all with Qt under Windows?).
It may be revisited in future, when it will become mature.

It's worth to note that Otter is already using LibreSSL in our official OpenBSD packages (both in beta 4 & beta 5) without any issues so far.
That was of course not the case when Emdek wrote that reply as the port was published on 25th January.

 

Still, who knows LibreSSL really full support windows?