On Fri, 2022-01-28 at 21:18 +0000, Stuart Henderson wrote:
> On 2022-01-28, Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >
> > On Friday, January 28th, 2022 at 14:43, dansk puffer <danskpuffer@outlook.com> wrote:
> >
> > > Are there any major security differences between libressl and openssl nowadays? From what I read the situation for openssl improved and some Linux distros switched back to openssl again with mostly? OpenBSD remaining to use libressl.
> >
> > For me at least, my main beef with Libressl is that it has seemingly mostly achieved its security posture by removing functions.
> >
> > Unfortunatley the functions removed are not obscure ones, but more common ones such as, IIRC, various very useful certificate and PKCS11 related functions.
>
> I think you'll need to back that up with some examples. Lots of code has
> been removed but much of that is not API-affecting. In particular *common*
> ones are not removed.
>
> Almost nothing in the ports tree uses OpenSSL. The exceptions
> are nsca-ng (PSK was removed; almost nothing uses that),
> opensmtpd-filter-dkimsign (libressl doesn't have all of the ed25519 api
> from newer openssl yet),
>
To be more precise, this only goes for the -ed25519 flavor. The main
flavor is compiled with libressl. For most people, ed25519 dkim
signatures aren't even interesting yet, since most verifiers out there
(including the major players last time I checked) don't even support it
yet.
> sslscan (uses a special build with some
> outdated protocols enabled so that it can scan a server to see what it's
> using), and libretls (implementation of the libtls API against OpenSSL
> backend, used for testing portable versions of some OpenBSD software).
> That's all.
>
> There are some functions from OpenSSL 1.1+ API that haven't been added
> to LibreSSL yet, though these days many of the ones which are _actually_
> used by various software have been added.
>
> (Besides, not adding new functions that were added to OpenSSL after
> LibreSSL was forked is not the same thing as removing functions.)
>
>
No comments:
Post a Comment