lagrange icon indicating copy to clipboard operation
lagrange copied to clipboard
verified publisher icon skyjake

Use LibreSSL instead of OpenSSL

Open hardBSDk opened this issue 3 years ago • 11 comments

After Heartbleed event, the OpenSSL project lost credibility in relation to code security measures (memory-safety).

Forks were created and LibreSSL/BoringSSL came, with better code security measures.

LibreSSL use the same APIs of OpenSSL, rebase with mainstream OpenSSL and clean obsolete code/ciphers/algorithms.

hardBSDk avatar Nov 10 '22 04:11 hardBSDk

I can confirm that Lagrage works fine with LibreSSL, there's no need to change anything

CyberTailor avatar Jan 06 '23 08:01 CyberTailor

I can confirm that Lagrage works fine with LibreSSL, there's no need to change anything

My request is to change the default library of the compilation/pre-compiled binaries.

hardBSDk avatar Jan 09 '23 22:01 hardBSDk

I looked into this a bit. While LibreSSL had a good start with modernizing and cleaning things up, OpenSSL has since evolved significantly. I don't see a pressing need for changes here, especially with Linux distros not being very interested in LibreSSL.

I will switch the macOS prebuilt libraries to LibreSSL since that's what Apple prefers to use.

On Windows I'm using MSYS2, but they don't provide binaries for LibreSSL. I attempted to build it myself but the build scripts didn't work for me under MSYS. I will keep using OpenSSL for the Windows binaries.

The x86_64 Linux AppImage is built on Ubuntu 18.04. It might make sense to try to manually compile the latest LibreSSL and use it instead of the system-provided libssl/libcrypto. I'll leave this for another day.

The armhf Linux AppImage is built on Raspbian 10 (Buster), and it's pretty much the same story as with Ubuntu 18.

On *BSD, one is free to build the app with LibreSSL if they want. I'm not sure if the CMakeLists needs any changes (?).

skyjake avatar Jan 10 '23 05:01 skyjake

default library of the compilation

@hardBSDk From a compilation point of view, LibreSSL is usually a drop-in replacement for OpenSSL. It is up to whoever is doing the build to point CMake to the appropriate "openssl" pkg-config files via the PKG_CONFIG_PATH environment variable.

skyjake avatar Jan 10 '23 05:01 skyjake

When I get a chance, I will boot up my OpenBSD and FreeBSD VMs and check the build config with LibreSSL.

skyjake avatar Jan 10 '23 05:01 skyjake

v1.14.2 includes the changes from the previous comment.

skyjake avatar Jan 11 '23 10:01 skyjake

I don't currently plan to make further changes regarding LibreSSL, so closing this (at least for now).

skyjake avatar Jan 11 '23 10:01 skyjake

Reopening to investigate some macOS LibreSSL issues:

  • TLS session resumption is not working
  • certificate error: https://layer8.space/@mnordmeyer/109716602867368302

v1.15.0 will revert and go back to OpenSSL, at least for now.

skyjake avatar Jan 19 '23 20:01 skyjake