Using LibreSSL

[6502]

Is it good idea to use LibreSSL instead of OpenSSL?

 

[xtremae]

There is/was a discussion here.

 

[Phishfry]

I also wanted to note that both OPNSense and HardenedBSD backed off using LibreSSL.
For HardenedBSD, Shawn said it was manpower issue to keep both. OPNSense was doing a version with LibreSSL for a while.

 

[Remington]

I used to have LibreSSL on my server and decided to switch back after some ports required OpenSSL to build. I'll wait until FreeBSD decides to switch to LibreSSL then that will force maintainers to patch their ports to use LibreSSL. In the meantime, you're better off staying with OpenSSL.

 

[SirDice]

Yeah, I too had it set for a while. But too many ports either failed to build or had other issues. So I switched back to the base OpenSSL.

 

[drhowarddrfine]

In addition, if performance is an issue, libreSSL is slower than openSSL.

 

[olafz]

I have switched to security/libressl, it is used by several ports, e.g. www/nginx and security/openssh-portable. No problems so far.

 

[drhowarddrfine]

olafz Are you sure about that? I've never used libressl with nginx.

 

[SirDice]

I've never used libressl with nginx.

It's not the default. If you set DEFAULT_VERSIONS+= ssl=libressl then nginx would indeed be built against LibreSSL.

 

[olafz]

olafz Are you sure about that? I've never used libressl with nginx.

Yes.

root@annie:~ # pkg query %ro libressl
databases/mariadb103-server
lang/ruby25
databases/mariadb103-client
mail/postfix
security/php72-openssl
security/openssh-portable
security/py-cryptography
archivers/libzip
archivers/libarchive
lang/python27
ftp/curl
dns/ldns
lang/python36
www/nginx
security/p5-Net-SSLeay
devel/libevent

 

[drhowarddrfine]

olafz Your previous post gives the impression that libressl is the default. It is not as SirDice also pointed out.

 

[olafz]

olafz Your previous post gives the impression that libressl is the default. It is not as SirDice also pointed out.

It is as I have DEFAULT_VERSIONS+= ssl=libressl defined.

 

[drhowarddrfine]

olafz You are confused. That is not a nginx default. That is your personal system configuration.

 

[olafz]

I have never said that libressl is the default.

 

[scottro]

Just to clarify for people glancing at the thread, the OP has set it as default in their /etc/make.conf but it is not the default in an install of FreeBSD. (Nor do I think the OP implied it was, but a new user may get slightly confused).

 

[xtaz]

OpenSSL has come a long way since LibreSSL was created. It now has several paid maintainers who have modernized the codebase and eliminated most of the problems that caused the LibreSSL fork. And they continue to improve it. This can be seen by the fact OpenSSL supports TLSv1.3 and LibreSSL still does not.

I stuck with LibreSSL for a couple of years but moved back to OpenSSL when 1.1.1 came out.

 

[drhowarddrfine]

I have never said that libressl is the default.

I have switched to security/libressl, it is used by several ports, e.g. www/nginx and security/openssh-portable.

Not to belabor the point but do you see the confusion?

 

[olafz]

Not to belabor the point but do you see the confusion?

Not at all. I have never said that libressl is the default.