30-Day Status Update On The LibreSSL OpenSSL-Fork
Bob Beck of the OpenBSD project has provided a status update on the first 30 days of the LibreSSL project that's a fork of OpenSSL following the notorious heartbleed bug.
Bob's slides from BSDCan Ottawa 2014 are interesting and can be found in full via OpenBSD.org. Some highlights from the presentation on LibreSSL include:
- The "perfect storm" happened for OpenSSL with developers being concerned about adding features and not fixing/maintaining, fixes not being merged upstream, bug rot for years, and horrible code.
- LibreSSL is still after maintaining API/ABI compatibility with OpenSSL so it can be a drop-in replacement.
- OpenBSD developers have found numerous faults with OpenSSL and the decisions made by its developers.
- They have already fixed many bugs and have about a half-million line unidiff from OpenSSL 1.0.1g from where they forked.
- New ciphers for Brainpool, ChaCha, poly1305, and ANSSI FRP256v1 have been added to LibreSSL.
- LibreSSL accuses the OpenSSL Foundation as being a front for the FIPS consultancy.
- Long term goals of LibreSSL are a better API, reduced code-base, splitting libcrypto from libssl, and splitting non-cryptography tasks from libcrypto.
- The Linux Foundation has not committed support to LibreSSL although they are now funding OpenSSL via their core infrastructure initiative.
Bob's slides from BSDCan Ottawa 2014 are interesting and can be found in full via OpenBSD.org. Some highlights from the presentation on LibreSSL include:
- The "perfect storm" happened for OpenSSL with developers being concerned about adding features and not fixing/maintaining, fixes not being merged upstream, bug rot for years, and horrible code.
- LibreSSL is still after maintaining API/ABI compatibility with OpenSSL so it can be a drop-in replacement.
- OpenBSD developers have found numerous faults with OpenSSL and the decisions made by its developers.
- They have already fixed many bugs and have about a half-million line unidiff from OpenSSL 1.0.1g from where they forked.
- New ciphers for Brainpool, ChaCha, poly1305, and ANSSI FRP256v1 have been added to LibreSSL.
- LibreSSL accuses the OpenSSL Foundation as being a front for the FIPS consultancy.
- Long term goals of LibreSSL are a better API, reduced code-base, splitting libcrypto from libssl, and splitting non-cryptography tasks from libcrypto.
- The Linux Foundation has not committed support to LibreSSL although they are now funding OpenSSL via their core infrastructure initiative.
25 Comments