Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Release of LibreSSL Portable Is Available

Posted by Soulskill on from the cryptic-announcements dept.

ConstantineM writes: It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD. This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.

18 of 101 comments (clear)

  1. Donate by Anonymous Coward · · Score: 2, Informative

    Through my student years I was very much supported by donations.

    The LibReSSL effort was the first time I donated ever. So FFS donate, it is that kind of asshole attitude that produces good code, so support it.

    1. Re:Donate by akpoff · · Score: 2

      Development of portable versions of other OpenBSD projects doesn't appear to have suffered.[1] What makes you think LibreSSL will be any different?

      [1] The OpenBSD Foundation:
      OpenSSH
      OpenNTPD
      OpenSMTPD

    2. Re:Donate by Noryungi · · Score: 5, Insightful

      Oh boy, there is so much wrong here... Where to start?

      First of all, OpenSSL problems are not ''getting fixed''. Part of the problem is that funding for OpenSSL was primarily based on company XYZ sponsoring function ABC. This gave incentives to the OpenSSL devs to add more functionalities on top of the cruft, the horrible mess that was the code base. More funding equals more developpers equals more eyeballs, but we haven't seen the progress so far.

      Second of all, OpenBSD has given a HUGE amount of (BSD licensed) code to the rest of the world, Linux included. Try typing "ssh -V" on any Linux machine and I can guarantee you will get OpenSSH. And if you are like me, this is something you use EVERY. FREAKING. DAY. So please stop the trolling about OpenBSD, mmmmkay?

      Third, the amount of code that has been cleaned up, improved, deleted and just plain scrubbed is simply amazing. You can say whatever you want about OpenBSD cranky devs, they know their stuff and they know their way around C code.

      Fourth, OpenSSL is BSD/Apache licensed, and not GPL, so stop spouting off about supporting GPL software - not everything has to be blessed by Stallmann to be acceptable. And, yes, the Linux Foundation recognizes this - while you don't.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    3. Re:Donate by the_B0fh · · Score: 2

      The OpenBSD group does a number of things. LibreSSL is one of them. They ask for donations to the general fund. If you like, you donate. If you don't, don't donate. OpenBSD runs a lean organization. Everything they do is open sourced and standards driven. And they make it _portable_ correctly.

      If you have an axe to grind against them for forking a piece of shit code, take it and shove it.

    4. Re:Donate by thegarbz · · Score: 2

      Nothing structural needed to be changed in this phase.

      Step one of the LibreSSL project is and always has been clean up the code to make it readable by mortals. An illegible clusterfuck does not attract volunteer developers to help audit. Heartbleed arose because OpenSSL was a perfect contradiction to the idea that "Because it's open source anyone can look at the code and therefore bugs get fixed quickly." Structural changes are still to come.

      Also posting an about page from OpenSSL doesn't really mean all that much. Lets see some action thanks. Here we are 3 months after the Heartbleed fiasco and the LibreSSL team have forked and started a major cleanup, whereas the OpenSSL team have written an about page living up to their reputation as a bunch of consultants chasing government contracts.

  2. Other OS's by armanox · · Score: 2

    Guess I'll have to see if this builds on IRIX when I get home...just to see.

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
    1. Re:Other OS's by armanox · · Score: 3, Interesting

      Which I already eliminated that possibility saying I was building it at home. I'd also like to believe that there are very few security critical things still using IRIX, even though I know better (at least SGI was still releasing security patches until this year....).

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
  3. Re:first security vulnerability to be discovered! by Noryungi · · Score: 4, Insightful

    in 3....2.......1............

    That was the goal from the vey beginning: make the code less horrible to get people involved and correct as much as possible.

    So, yes, they will find more problems. They expect that.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  4. Re:Happy to let someone else test it by Noryungi · · Score: 5, Informative

    There is not just ''cruft'' in the code base: if I remember correctly, they removed thousands upon thousands of lines of code from OpenSSL - think VMS, Borland C, Windows 3.x, MS Visual C++ (etc) support.

    And they tested the whole thing on the OpenBSD ports - so far, nothing has been broken.

    Oh and FIPS support? Not gonna happen. Bob Beck has been very very clear on that subject. OpenBSD does not care too much about US government standard.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  5. Welp, time to start the VMS port by jandrese · · Score: 3, Interesting

    Oh good, now we can get that vital VMS, DOS, and MacOS 7 support so they're not stuck on OpenSSL.

    --

    I read the internet for the articles.
  6. Re:Happy to let someone else test it by Bengie · · Score: 2

    The OpenBSD people do not believe in "work arounds". Their answer to an OS not properly doing something is "fix the OS". As it should be.

  7. Re:Happy to let someone else test it by Bengie · · Score: 3, Informative

    Heartbeat support is optional and negotiated. I don't know why you think it 'must' be supported.

  8. Also works fine under NetBSD by ci4 · · Score: 3, Informative

    Test suite summary for libressl 2.0.0
    'make check' under -current amd64:

    TOTAL: 41
    PASS: 41
    SKIP: 0
    XFAIL: 0
    FAIL: 0
    XPASS: 0
    ERROR: 0

  9. Re:Does app incompatibility count? by Bengie · · Score: 2

    Well, sucks to be you. That's really what it comes down to. When it comes security and design, don't compromise because some idiots painted themselves into a corner.

  10. Re:Happy to let someone else test it by Zero__Kelvin · · Score: 2

    "Bottom line LibreSSL is useless here as long as it won't run Windows.'

    The sad part is that you actually believe it.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Re:Happy to let someone else test it by Bengie · · Score: 2

    Heartbeat is only to let the other side know the connection is still expected to be alive when no data is being transmitted. It's not hard for the application level to issue data every 4.5 minutes when it detects an idle connection. The time out length is also configurable. Set the timeout for 24 hours, enjoy.

  12. LibreSSL vs OpenSSL Speed test by Anonymous Coward · · Score: 2, Interesting

    I saw the updated http://www.libressl.org/ page with details for the portable version.

    Saw someone else did a speed test https://gist.github.com/bertjw...

    and thought I would do the same

    http://pastebin.com/SBVWPQmB

    I'm not an expert but at this stage it appears

                                    LibreSSL Speed as % of OpenSSL
    type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes

    Aes-128 cbc 152.40 152.34 152.66 59.87 59.49
    Aes-192 cbc 159.14 158.30 158.25 60.78 60.49
    Aes-256 cbc 166.15 166.91 167.14 64.48 64.51

    Results -
    LibreSSL about 50~60% faster for 256 size blocks or smaller
    OpenSSL about 50~60% faster for 1024 size blocks or larger

    Notes: To compile on Ubuntu need to use ./configure LDFLAGS=-lrt
    There are posts about the same requirement on RH also.

  13. Re:Happy to let someone else test it by greg1104 · · Score: 2

    Most of FIPS is a certification process oriented on testing. However, there is a checklist of things you need to support, and one of them used to be the easy to backdoor Dual_EC_DRBG.

    Now that the requirement for Dual_EC_DRBG has been dropped from NIST's checklist, it would be possible to have LibreSSL meet FIPS requirements without having the troublesome component. Most of FIPS certification is about throwing money at testing vendors, as described by OpenSSL themselves. Doing that would really be incompatible with the crusade LibreSSL is on though, because the result is believed by some to be less secure than using a library that isn't bound to the FIPS process. I don't see those developers ever accepting a process that prioritizes code stability over security.