• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

.crt .ca .key generated under LibreSSL vs OpenSSL.

bryn1u

Well-Known Member

Thanks: 9
Messages: 323

#1
Hello guys,

I'm using OpenVPN under FreeBSD and HardenedBSD.

HardenedBSD has implemented LibreSSL which is great secure step forward. FreeBSD is still using OpenSSL. I have generated .crt .ca .key by easy-rsa under FreeBSD. I moved it all: keys and certs on HardenedBSD where LibreSSL is and everything works great. My question is: Are there any differences in some kind of way to generate those certs under OpenSSL and LibreSSL ? Or are they just tools ? I admit that much easier is use to easy-rsa then manually under HBSD where easy-rsa is not supported.

Thanks,
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,998
Messages: 26,762

#2
The certificates should be the same, it's a standard: https://en.wikipedia.org/wiki/X.509

There could be differences in the supported algorithms though, but that doesn't change the format of a X.509 certificate.
 

Sensucht94

Well-Known Member

Thanks: 289
Messages: 327

#3
I think the format is the same, though LibreSSL should have fixed some critical OpenSSL vulnerabilities, as I read on libressl.org, and, as of 2015 (I don't think it's been updated yet) the OpenBSD's libressl security track record evidenced a clear gap in the high risk CVE count between the two.

That said, security/libressl is in ports, and despite base system relies on OpenSSL, nobody keeps one to install it if preferred. To use it as default ssl library provider, you can add:
Code:
DEFAULT_VERSIONS= ssl=libressl
to your /etc/make.conf, and make will rely on it to compile ports.

Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
Code:
alias  libressl   /usr/local/bin/openssl
in my .tcshrc, in order to safely use the version provided by security/libressl to produce .pem rsa keys and certs
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,998
Messages: 26,762

#4
Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
Code:
alias  libressl   /usr/local/bin/openssl
Hey, that's a simple, smart idea, I might have to steal that :)
 
Top