LibreSSL 2.2.2 Released

An anonymous reader writes: LibreSSL 2.2.2 has been released. According to the release notes: "This release marks the end of the OpenBSD 5.8 development cycle, featuring expanded portable build support, code improvements, removal of obsolete workarounds....The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible." This is the first LibreSSL release that has completely removed SSLv3 support.

Re:Is it FIPS certified?

[kriston]

We have a viable alternative. It's called NSS from Mozilla, and it's free of all patent encumberments that have plagued LibreSSL/OpenSSL/SSLeay to this day. It also offers FIPS compliance.

https://wiki.mozilla.org/NSS

Re:Is it FIPS certified?

You are correct. You may not include a disallowed cipher suite, but you are free to omit any you desire if you feel them to be insecure.

Re:Is it FIPS certified?

[jandrese]

The OpenBSD guys don't care about FIPS, but if someone else does they're more than welcome to take the LibreSSL code and run it through the FIPS process. The OpenBSD team has already said that they think FIPS does more harm than good, because it locks you into exactly one version of the library which makes it difficult to apply fixes without breaking the certification. People want FIPS certification to mean "this has been proven safe", but that's not true and is impossible for non-trivial projects.

Re:Is it FIPS certified?

pfft. One of the complaints about openssl was that it tacked on code just to gain FIPS certification. So it gets certified, but now is still loaded with obsolete, insecure cruft that makes it less secure and vulnerable to attacks. In which case, its FIPS certification status is meaningless in terms of providing real security.