.crt .ca .key generated under LibreSSL vs OpenSSL.

Hello guys,

I'm using OpenVPN under FreeBSD and HardenedBSD.

HardenedBSD has implemented LibreSSL which is great secure step forward. FreeBSD is still using OpenSSL. I have generated .crt .ca .key by easy-rsa under FreeBSD. I moved it all: keys and certs on HardenedBSD where LibreSSL is and everything works great. My question is: Are there any differences in some kind of way to generate those certs under OpenSSL and LibreSSL ? Or are they just tools ? I admit that much easier is use to easy-rsa then manually under HBSD where easy-rsa is not supported.

Thanks,
 
I think the format is the same, though LibreSSL should have fixed some critical OpenSSL vulnerabilities, as I read on libressl.org, and, as of 2015 (I don't think it's been updated yet) the OpenBSD's libressl security track record evidenced a clear gap in the high risk CVE count between the two.

That said, security/libressl is in ports, and despite base system relies on OpenSSL, nobody keeps one to install it if preferred. To use it as default ssl library provider, you can add:
Code:
DEFAULT_VERSIONS= ssl=libressl
to your /etc/make.conf, and make will rely on it to compile ports.

Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
Code:
alias  libressl   /usr/local/bin/openssl
in my .tcshrc, in order to safely use the version provided by security/libressl to produce .pem rsa keys and certs
 
Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
Code:
alias  libressl   /usr/local/bin/openssl
Hey, that's a simple, smart idea, I might have to steal that :)
 
Back
Top