[Cialug] First release of LibreSSL

Nicolai nicolai-cialug at chocolatine.org
Mon Jul 14 17:19:48 CDT 2014


On Mon, Jul 14, 2014 at 03:07:26PM -0500, Todd Walton wrote:
> Sometimes forking is good.  Is this a good case?  With Heartbleed having
> just happened, my first thought is: won't this result in *fewer* eyeballs
> on the code?

Two of the first changes made in LibreSSL were:

 * KNF, to make the code readable
 * Removal of Windows 3.1 etc. support, reducing code size

OpenSSL has as close to zero eyes on it as possible for the reason that
nobody wants to look at it.  LibreSSL's first task was making the code
accessable, then to reduce the code size opening up the possibility of
an honest audit.  Additionaly, tools like Valgrind work on LibreSSL (but
not OpenSSL), so those eyeballs have a better chance of finding bugs.

The tech at openbsd list archive shows a lot of patches coming in from
outside OpenBSD.  For example, lots of malloc+memset to calloc, various
free()-related fixes, more bounded string functions, etc.  There's a
major motivation within OpenBSD to make LibreSSL successful in the
larger (Linux, FreeBSD, anything POSIX) community in the same way that
OpenSSH is such a success story.

I'll go with LibreSSL.  I also like BoringSSL from Google -- Adam
Langley will do a great job there.  Between the two of them, hopefully
we can start to put these habitual TLS nighmares behind us.

Nicolai


More information about the Cialug mailing list