Become a fan of Slashdot on Facebook


Forgot your password?
Security Encryption

Not Just a Cleanup Any More: LibreSSL Project Announced 360

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
This discussion has been archived. No new comments can be posted.

Not Just a Cleanup Any More: LibreSSL Project Announced

Comments Filter:
  • by cmdrbuzz ( 681767 ) <> on Tuesday April 22, 2014 @07:52AM (#46813981)

    LibreSSL.... Please for the love of code, change the name!

  • 'Nuff said

  • you use polarssl. Which is already exactly that.

    • Possibly it would be easier to integrate polarssl than clean up openssl, but they maybe like to work on crypto code instead of on interfaces.
      Given that it's a volunteer effort (by them and by those who will volunteer some cash) I do not complain about it anyway.

    • PolarSSL doesn't have the same licensing model as OpenSSL, so it's not a drop-in replacement. ( vs. [])

  • finds out openssl is bollocks,
    radically refactors and overhauls millions of lines of code.

    as for the LibreSSL team, might i suggest some music? [] []
    • by gweihir ( 88907 )

      They already have music under the "OpenSSL" link on the LibreSSL webpage. Seems they are ahead of you ;-)

  • by duke_cheetah2003 ( 862933 ) on Tuesday April 22, 2014 @08:16AM (#46814179) Homepage

    Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.

    • Re:Please don't (Score:5, Insightful)

      by Kardos ( 1348077 ) on Tuesday April 22, 2014 @08:31AM (#46814293)

      It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

      > Even after all those changes, the codebase is still API compatible.

      It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Where is the "bad idea" here?

        A fork is alien to the OSS concept. If you are not happy with direction and quality of current maintainer and code, and think you can do better, you shouldn't just fork it and do it. Who have ever asked you to do that with OSS?? You should work with the provider and hope that helps.

        • What? Forking is a huge part of the OSS concept. "If you don't like the way the devs are going, STFU and change it yourself."

          In *practice* it may not work that way very often (the biggest offenders in recent memory are massive projects that it's infeasible for a single or handful of developers to maintain. i.e. browsers, DEs, etc..), but you've got a pretty warped idea of OSS if you think it's "alien" to the concept.

        • by Sique ( 173459 )
          I am not sure if this is an attempt at being ironic.
      • OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

        Rather, they apparently don't (hence the donations plea). What they do have time for is forking OpenSSL, cutting out the stuff they don't care about, and slapping each other on the back for giving OpenSSL a good poke in the eye.

    • Don't fork SSL

      They're not.

      we need to keep one standard

      They are.

      This is a bad idea.

      It's not because your assumptions bove are faulty.

      These resources could be used to improve OpenSSL directly.

      That's exactly what they are doing. But they're forking OpenSSL because they want to do it their way.

    • Re:Please don't (Score:4, Interesting)

      by upuv ( 1201447 ) on Tuesday April 22, 2014 @08:56AM (#46814499) Journal

      SSL is the standard.
      OpenSSL is an implementation
      LibreSSL is an implementation

      The standard isn't forked.

      In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

      This isn't a bad thing.

      SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

  • by sinij ( 911942 ) on Tuesday April 22, 2014 @08:38AM (#46814361)
    The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.
    • People are starting to think tha "FIPS Certified" means "has all required NSA backdoors installed".

      • by sinij ( 911942 ) on Tuesday April 22, 2014 @08:58AM (#46814521)
        You might be proven right by the next Snowden report, but this still will not change the fact that to sell to the government you need to demonstrate your crypto is certified.

        Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.
      • by BitZtream ( 692029 ) on Tuesday April 22, 2014 @09:08AM (#46814613)

        Having gone through the certification process myself, people that think that are stupid, paranoid idiots. The certification process is entirely based on finding and fixing known flaws in the encryption process, nothing I saw would indicate any kind of weakening.

        Of course, its entirely possible that the NSA was aware that my code was insecure and just didn't request any changes to make it weaker, but the certification process certainly didn't make that apparent.

    • Wrong.

      A specific version of the OpenSSL binaries a LONG time ago received a low level of FIPS 140 certification. That certification was for specific binaries built from a specific code base. The instant a single line of source was changed, the entire FIPS certification is null and void for the new version. Depending not he exact way it was certified it is entirely possible that even compiling the same source code from the version that was certified ... does not itself receive the certification.

      NO ONE use

      • That's not quite right either. The open-source releases of OpenSSL certainly do not ship with any implied FIPS certification. OpenSSL does offer FIPS validation for a specific build as part of their commercial support program []. They say "Support for the FIPS Object Module, including assistance with building a validated module for a specific platform (if possible) is available with the Premium plan". It is not correct that these versions are exactly the same code as the ones first certified long ago.


        • by chill ( 34294 )

          The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.

          You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.

          Case in point. The Red Hat version of FIPS-OpenSS

    • by Kardos ( 1348077 )

      If OpenBSD is successful in their goal of making a lean and mean LibreSSL, is there anything that stops someone else from getting it FIPS certified?

      Clearly it would have to be re-done with each release, so presumably nobody would bother until LibreSSL is stable.

    • by Lennie ( 16154 )

      Do you know what FIPS certification does ?

      They check the algoritms (read: math), not the implementation.

      So nothing has really changed from that standpoint.

      Will LibreSSL be FIPS certified ? Probably not.

    • by Bob9113 ( 14996 )

      The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

      Sounds like a good idea. Perhaps the system integrators who want to have a FIPS certified version of SSL that is also secure should do the legwork on getting the certification done, while Theo and his team work on the code. Decentralized [] do-ocracy [] FTW.

  • OpenOffice -> LibreOffice
    OpenSSL -> LibreSSL

    Will the next be
    OpenSSH -> LibreSSH
    OpenBSD -> LibreBSD
    OpenStack -> LibreStack
    ... ?

What this country needs is a dime that will buy a good five-cent bagel.