• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Replacing OpenSSL with LibreSSL

toprank

Member

Thanks: 1
Messages: 32

#1
What's the correct procedure to completely replace OpenSSL with LibreSSL in FreeBSD 11.1-RELEASE?
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#2
80% of all questions can be answered with, "Look in the Handbook". The other 18% are solved by Googling.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#3
https://wiki.freebsd.org/LibreSSL

Note that I don't recommend removing OpenSSL and replacing it with LibreSSL for the base. At least not yet. Better leave the base system as-is to avoid any complications during updating or with any of the base OS tools.

For ports it's not a problem, I have many servers using LibreSSL. Some ports have problems with it though, it's not a 100% in-place replacement. Problematic ports can usually be fixed by enabling/disabling certain options.
 

xtaz

Well-Known Member

Thanks: 65
Messages: 311

#4
Agreed with what SirDice has said. I only use it for ports and keep the base OpenSSL as it is. So I change make.conf (inside poudriere) so that it has DEFAULT_VERSIONS+=ssl=libressl. Kick off a poudriere build and then a pkg upgrade to reinstall everything.

Occasionally some ports fail to build with it and you have to manually apply a patch or change the options. ftp/curl for example needs the TLS_SRP option switched off. databases/pgbouncer fails to build without a manually applied patch. For the most part though things tend to work fine.

I suspect that one day the OpenSSL in the base system will either be removed entirely in favour of the port version, or replaced with LibreSSL. But until this happens I would stick with OpenSSL there and not poke the beast too much.

I mitigate this by using port versions for everything. So OpenSSH for example is the port version linked to LibreSSL from ports. I use very little base software.
 

sidetone

Aspiring Daemon

Thanks: 221
Messages: 780

#5
What's the correct procedure to completely replace OpenSSL with LibreSSL in FreeBSD 11.1-RELEASE?
My guess is that this is likely for FreeBSD 12. As xtaz and SirDice have said, ftp/curl's and other ports' full or default features are incompatible with it.

For FreeBSD 11.1, starting with
Code:
DEFAULT_VERSIONS+=ssl=libressl
, my working theory of make.conf to keep all security features for LibreSSL is to use GSS-API from ports with SET/UNSET
Code:
OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
# or for specificity, since few ports default to GSSAPI_BASE and OpenSSL
ftp_curl_UNSET= GSSAPI_BASE
ftp_curl_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
, and/or to see if it's possible to set the default to OpenSSL for programs that absolutely require it, leaving LibreSSL the default for other ports. I'm uncertain how to proceed with this:
Code:
# Is the following a such option?
ftp_curl_DEFAULT_VERSIONS+=ssl=openssl  # ????