The state of LibreSSL in FreeBSD
attilagyorffy.comOutside of the BSDs, Void Linux is a linux distro that uses LibreSSL instead of OpenSSL and they also have a stable musl flavor (no glibc).
Gentoo ~x86/~amd64 also supports LibreSSL with the "libressl" USE flag. Makes for a great hardened (Grsecurity/PaX) install for servers/chromebooks.
Is there also a Gentoo profile for a system-wide clang/llvm? Add libressl and musl (instead of glibc), and it would be quite a different and advantageous linux distro.
not sure about clang/llvm, but you can definitely build with musl or uClibc rather than glibc.
Gentoo is largely what you make it, while Void is about sane defaults.
OS X also ships LibreSSL (ssh -v).
I know this is just nitpicking but you may want to use capital V instead: `ssh -V`.
And indeed the SSH command originates from OpenBSD and uses LibreSSL 2.1.8.
Thanks :) I was afk and I hoped someone would correct me.
It's awesome that cool things from OpenBSD are being ported over to FreeBSD, but why not just use OpenBSD from the get-go? It's already a struggle having to deal with FreeBSD's outdated version of pf.
iTWire - Crypto: FreeBSD playing catch-up, says De Raadt: http://www.itwire.com/business-it-news/open-source/62641-cry...
I've got a lot of love for OpenBSD but I can understand people wanting to use FreeBSD for things like ZFS and dtrace. However for those seeking to use said features personally I would recommend looking at an illumos distro.
FreeBSD and OpenBSD are ideologically opposed. FreeBSD is free as in freedom, OpenBSD is free as in beer.
Both FreeBSD and OpenBSD are BSD licensed.
Why do you think FreeBSD is free as in freedom?
... "says De Raadt"
Maybe there is a group of people out there that don't want to deal with that ... guy.
Good news for FreeBSD. I agree that LibreSSL is the best bet for the future.
There also BoringSSL[1] but that might be even more of a departure than LibreSSL in terms of API compatibility. I still think it's surprising that we don't see more BoringSSL being used especially with nginx.
Why would you use it, if the people making it explicitly recommend against you doing so?
There are some good reasons not to use it. Primarily the lack of API stability and that, as you mention, the people making it caution against it.
But to answer your question, why would someone choose to use it anyway? One reasonable justification is that many people believe (probably myself included) that the quality is superior to openssl or libressl. The APIs are unstable but the flip side of that coin is that they're probably better. Also the engineering practices behind boringssl have lead to what I would call relatively high quality code. It's well structured, clear, and maybe less likely to suffer as many serious bugs as the alternatives. Time will tell.
Not that I'm recommending it for everyone, just answering your question. Quality is often in the eye of the beholder, use what works best for you.
I would note LibreSSL has taken fixes from BoringSSL.
Isn't it not yet ready for production?
This really depends on what your production environment requires. LibreSSL is mostly API compatible with OpenSSL but removes FIPS and support for esoteric platforms. If your production environment requires Windows 3.1 or big endian amd64 then probably LibreSSL is not ready for your production environment. Seriously though some of us are already using LibreSSL in production without problems.
This really is a more complex question then it may seem. One of the reasons I haven't yet upgraded my production system is because I want to be able to keep my system up-to-date. Now, having to manually patch the FreeBSD source tree once a new upgrade lands is a bit of a pain. The point of the article is really about exploring where we are and where the FreeBSD community is headed.
It's not in the base system yet. I would be fine with using it in production, however.