LibreSSL 2.2.2 Released

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Friday August 7, 2015 @01:59AM from the check-it-out dept.

An anonymous reader writes: LibreSSL 2.2.2 has been released. According to the release notes: "This release marks the end of the OpenBSD 5.8 development cycle, featuring expanded portable build support, code improvements, removal of obsolete workarounds....The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible." This is the first LibreSSL release that has completely removed SSLv3 support.

5 of 33 comments (clear)

Min score:

Reason:

Sort:

Is it FIPS certified? by sinij · 2015-08-07 02:06 · Score: 4, Interesting

It is about time we get viable alternative to OpenSSL. Unfortunately, LibreSSL is not FIPS certified, and as such won't be used for government-facing projects. This means as a system integrator I have a choice - use OpenSSL (and private label certify it) and be able to sell my product to industry and government client, or use LibreSSL and only be able to sell to industry clients.
1. Re:Is it FIPS certified? by Anonymous Coward · 2015-08-07 02:22 · Score: 3, Insightful
  
  I'm no expert, but didn't LibreSSL remove support for some algorithms mandated by FIPS that are known to be insecure? I could be wrong, but I have the impression that it can't be certified because the standard itself is compromised.
2. Re:Is it FIPS certified? by sinij · 2015-08-07 02:33 · Score: 3, Interesting
  
  You are probably thinking about Dual_EC_DRBG, support for it has been removed by NIST since 2013.
  
  Generally, FIPS certification would only include things you do, and mandate how to do them. For example, if you implement AES256-GCM, you will have to demonstrate that it is implemented according to the standard - NIST SP 800-38D, but you don't have to implement it.
3. Re:Is it FIPS certified? by kriston · 2015-08-07 02:46 · Score: 5, Informative
  
  We have a viable alternative. It's called NSS from Mozilla, and it's free of all patent encumberments that have plagued LibreSSL/OpenSSL/SSLeay to this day. It also offers FIPS compliance.
  https://wiki.mozilla.org/NSS
  
  --
  Kriston
4. Re:Is it FIPS certified? by jandrese · 2015-08-07 03:10 · Score: 3, Informative
  
  The OpenBSD guys don't care about FIPS, but if someone else does they're more than welcome to take the LibreSSL code and run it through the FIPS process. The OpenBSD team has already said that they think FIPS does more harm than good, because it locks you into exactly one version of the library which makes it difficult to apply fixes without breaking the certification. People want FIPS certification to mean "this has been proven safe", but that's not true and is impossible for non-trivial projects.
  
  --
  
  I read the internet for the articles.