Project:LibreSSL

From Gentoo Wiki
Jump to:navigation Jump to:search
LibreSSL
Description LibreSSL is a fork of, and drop in replacement for OpenSSL. Primary development is done in OpenBSD, but it is ported to Linux as well. The LibreSSL project aims to bring support for this alternative SSL provider to Gentoo Linux.
Project email libressl@gentoo.org
IRC channel #gentoo-libressl
Lead(s)
Last elected: 2019/04/17
Member(s)
Subproject(s)
(and inherited member(s))
(none)
Parent Project Gentoo
Project listing
Warning
As of 2021-02-01, LibreSSL will no longer be officially supported in Gentoo. It will still be possible to use LibreSSL to some degree after this date but migration to OpenSSL is strongly recommended. The interested users will continue the development of unofficial LibreSSL support in the LibreSSL overlay.

LibreSSL is a fork of, and drop-in replacement for OpenSSL. It was originally a response to the infamous heartbleed vulnerability, which was a serious security flaw in one of the most popular SSL providers in use. So, some OpenBSD developers decided that they would fork in order to "modernize the codebase, improve security, and apply best practice development processes." While LibreSSL has not been without its own vulnerabilities (see below), some of which it shared with OpenSSL, there has been improvements with its emphasis on security. For example, the LibreSSL team's response to the POODLE vulnerability was to disable the use of SSL 3.0 by default.

LibreSSL is not without its criticisms, however. Despite the fact that LibreSSL has as a stated goal complete API compatibility with OpenSSL, as a fork, its ABI may diverge over time, creating subtle incompatibility as a simple drop-in replacement. This is worse than some package simply not build against LibreSSL. Rather, a package built against OpenSSL may later link and run against LibreSSL, should one library be replaced with the other, but that package may misbehave. The size of some struct be off by a few bytes, or the parameters of some function might not align in the same way. This in turn can lead to unpredictable behavior, crashes or worse, exploits. So LibreSSL has been criticized for using the same library file name and even the same SONAME as OpenSSL.

So the project of porting LibreSSL to Gentoo must not be ignorant of the possible (inevitable?) ABI incompatibilities between the two. We cannot support a system where one can just switch between OpenSSL and LibreSSL without subsequently rebuilding their dependencies to make sure any ABI incompatibilities are addressed. https://github.com/gentoo/libressl