• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Replacing OpenSSL with LibreSSL

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,099
Messages: 26,992

#3
https://wiki.freebsd.org/LibreSSL

Note that I don't recommend removing OpenSSL and replacing it with LibreSSL for the base. At least not yet. Better leave the base system as-is to avoid any complications during updating or with any of the base OS tools.

For ports it's not a problem, I have many servers using LibreSSL. Some ports have problems with it though, it's not a 100% in-place replacement. Problematic ports can usually be fixed by enabling/disabling certain options.
 

xtaz

Well-Known Member

Thanks: 67
Messages: 322

#4
Agreed with what SirDice has said. I only use it for ports and keep the base OpenSSL as it is. So I change make.conf (inside poudriere) so that it has DEFAULT_VERSIONS+=ssl=libressl. Kick off a poudriere build and then a pkg upgrade to reinstall everything.

Occasionally some ports fail to build with it and you have to manually apply a patch or change the options. ftp/curl for example needs the TLS_SRP option switched off. databases/pgbouncer fails to build without a manually applied patch. For the most part though things tend to work fine.

I suspect that one day the OpenSSL in the base system will either be removed entirely in favour of the port version, or replaced with LibreSSL. But until this happens I would stick with OpenSSL there and not poke the beast too much.

I mitigate this by using port versions for everything. So OpenSSH for example is the port version linked to LibreSSL from ports. I use very little base software.
 

sidetone

Aspiring Daemon

Thanks: 307
Messages: 894

#5
What's the correct procedure to completely replace OpenSSL with LibreSSL in FreeBSD 11.1-RELEASE?
My guess is that this is likely for FreeBSD 12. As xtaz and SirDice have said, ftp/curl's and other ports' full or default features are incompatible with it.

For FreeBSD 11.1, starting with
Code:
DEFAULT_VERSIONS+=ssl=libressl
, my working theory of make.conf to keep all security features for LibreSSL is to use GSS-API from ports with SET/UNSET
Code:
OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
# or for specificity, since few ports default to GSSAPI_BASE and OpenSSL
ftp_curl_UNSET= GSSAPI_BASE
ftp_curl_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
, and/or to see if it's possible to set the default to OpenSSL for programs that absolutely require it, leaving LibreSSL the default for other ports. I'm uncertain how to proceed with this:
Code:
# Is the following a such option?
ftp_curl_DEFAULT_VERSIONS+=ssl=openssl  # ????
 
Top