LibreSSL is a fork of OpenSSL created by OpenBSD. There is also a portable version which is available in the ports tree: security/libressl.

LibreSSL has removed a number of OpenSSL features which can result in build issues for software that relies on them.

LibreSSL also has functionality that is not available in other ssl libraries on FreeBSD

Much of the detail in the original article has now been split into multiple sub-pages

How to use LibreSSL

You can use LibreSSL with all of your ports, or to replace OpenSSL in base.

After switching the OpenSSL provider you MUST rebuild all ports.

Problems you'll run into

After switching this will most likely hit you with cURL

Ports

Using LibreSSL in stead of OpenSSL has been integrated in the FreeBSD ports framework. Simply set one of the following in your /etc/make.conf (or corresponding make.conf for poudriere)

For the current stable branch

DEFAULT_VERSIONS+= ssl=libressl

For the current next branch

DEFAULT_VERSIONS+= ssl=libressl-devel

after setting this, rebuild all your ports.

Binary distribution

The standard packages from FreeBSD are still being built with OpenSSL from base and for some packages requiring a newer OpenSSL with OpenSSL from ports.

The following FreeBSD derivatives are known to use LibreSSL

  1. PC-BSD by default since PC-BSD 10.1.21

  2. OPNsense available since OPNsense 15.72

Base

There are several ways to get a base system without OpenSSL, currently only from source, but soon using binary distributions as well!

Build world/kernel from source

The files and an svn-diff can be found on LibreBSD. You can use the files as an overlay to the /usr/src directory or apply the patch-set. The 11-stable patches are being maintained, the 10-stable patch is no longer maintained (as of 11.0-RC1). You will have to add the LibreSSL sources yourself.

The procedure is documented in the Github Repo so we'll not repeat that here.

Other sources

Currently there are no binary distributions for LibreSSL-in-base but this is to change with the release of FreeBSD 11.

FreeBSD 10

There's a complete repo for 10.3 from Attila Györffy containing a working version.

There's a HardenedBSD repo containing sources for 10-stable which adds a lot of additional security features.

Upcoming FreeBSD versions

There's a HardenedBSD repo for 11-stable (11.0-RC1) containing LibreSSL and the additional HardenedBSD security features.

The repo for the upgoming TrueOS 11 release which includes LibreSSL and is great for desktops and laptops.

LibreSSL versions

The OpenBSD project has multiple branches of LibreSSL. This chapter describes how the upstream project and the FreeBSD ports correlate.

Stable corresponds to security/libressl
Upcoming corresponds to security/libressl-devel

During the release cycle of OpenBSD, there are times when there's no "Upcoming" version. At these times, the security/libressl and security/libressl-devel ports will be the same version.

In ports

To stay in line with the upstream OpenBSD project, the ports tree will (as of version 2.2/2.3) contain the stable version and the next/snapshot version for early adopters.

Date

stable

devel

2015-11-01

2.2

2.3

2016-05-01

2.3

2.4

As OpenBSD releases their next version of LibreSSL-Portable, the libressl-devel port will link to that next-stable version and you must rebuild all your ports.

Known problems/quirks

security/p5-openxpi: Claimed to not be fully functional by the developers
security/py-cryptography: Claimed to not be fully functional by the developers

Building world

When you build world when you have LibreSSL installed, some base utilities will link to LibreSSL. These you will have to update every time there are shared library versions are bumped

History

Version

Release

days

libssl/crypto/tls

LibreSSL 2.0 branch (OpenBSD 5.6)

2.0.0

12 Jul 2014

1

27/30/-

2.0.1

13 Jul 2014

3

27/30/-

2.0.2

16 Jul 2014

6

27/30/-

2.0.3

22 Jul 2014

12

27/30/-

2.0.4

03 Aug 2014

14

27/30/-

2.0.5

17 Aug 2014

57

27/30/-

LibreSSL 2.1 (OpenBSD 5.7)

2.1.0

13 Oct 2014

4

27/30/-

2.1.1

17 Oct 2014

60

29/30/-

2.1.2

16 Dec 2014

37

29/30/-

2.1.3

22 Jan 2015

40

30/30/-

2.1.4

04 Mar 2015

41

32/32/-

2.1.5

17 Mar 2015

13

32/32/3

2.1.6

19 Mar 2015

2

32/32/3

2.1.7

11 Jun 2015

84

32/32/3

2.1.8

15 Oct 2015

126

32/32/3

2.1.9

08 Dec 2015

54

32/32/3

LibreSSL 2.2 (OpenBSD 5.8)

2.2.0

11 Jun 2015

84

32/33/3

2.2.1

08 Jul 2015

27

33/34/4

2.2.2

06 Aug 2015

29

35/35/6

2.2.3

29 Aug 2015

23

35/35/6

2.2.4

15 Oct 2015

47

35/35/6

2.2.5

08 Dec 2015

54

35/35/6

2.2.6

28 Jan 2016

86

35/35/6

LibreSSL 2.3 (OpenBSD 5.9)

2.3.0

23 Sep 2015

29

36/37/9

2.3.1

03 Nov 2015

41

36/37/9

2.3.2

28 Jan 2016

86

37/38/10

2.3.3

23 Mar 2016

55

37/38/10

2.3.4

03 May 2016

37/38/10

2.3.5

30 May 2016

37/38/10

2.3.6

06 Jun 2016

37/38/10

LibreSSL 2.4 (OpenBSD 6.0)

2.4.0

30 May 2016

38/39/11

2.4.1

06 Jun 2016

7

38/39/1

The detailed version history was moved to the LibreSSL history sub-page

Ports

Detailed information on specific ports can now be found in the sub-page

The first build of all ports with LibreSSL for PC-BSD revealed 81 ports which require patching to work properly.

The build of all ports with LibreSSL 2.3, which has removed SSLv3, revealed 92 ports which require patching to work. This has been captured in the OpenSSL section as this fallout is considered equal to the fallout of building all ports with OpenSSL with SSLv3 disabled (security_openssl_UNSET=SSL3 / --no-ssl3).

Types of Failures

Note: Counts are not up-to-date

Problem

Description

Count

PRs

Unsolved

Open

Closed

EGD

uses RAND_egd methods that no longer exist in LibreSSL

38

12

16

0

DES

Uses deprecated des_ methods (replaced by DES_ methods)

29

4

15

0

SSLv2

Uses SSLv2 methods that no longer exist in LibreSSL

7

2

3

0

COMP

Wants SSL compression

10

7

4

1

arc4rand

conflict in FreeBSD/LibreSSL libs

4

0

0

4

CMS

Uses deprecated S/MIME methods

3

0

3

0

GOST

Uses removed GOST methods

2

0

0

2

PSK

Uses PSK methods

4

1

0

2

SSLv3

Uses SSLv3 methods that no longer exist in LibreSSL 2.3

85

10

0

5

SHA-0

Uses SHA-0 methods

8

0

0

4

Other

Other issues

25

2

13

8

TOTAL

204

30

51

33

The net-p2p/bitcoin and other virtual currency applications will/can not be fixed, they require bug-compatible OpenSSL libaries.

You can find examples of fixes in this GitHub repo, cross-reference with the PC-BSD 10.1.2 ports build chapter of the Ports sub-page.

Specific guidance for fixing the problems in the table above can be found here

LibreSSL (and OpenSSL) Security Vulnerabilities

Advisories prior to the initial release of LibreSSL (portable) are not included.

Severity

LibreSSL

OpenSSL

Critical+

High

0

5

Medium*

16

31

Low

7

12

Total

19

36

* NVD Medium + OpenSSL Moderate
+ OpenSSL added Critical level in revised severity rating 2015-09-28

The list of vulnerabilities of OpenSSL and LibreSSL is kept up-to-date in the Wikipedia LibreSSL article

Links

Some more info

  1. PC-BSD® is a user friendly desktop Operating System based on FreeBSD (1)

  2. OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. (2)

LibreSSL (last edited 2016-09-01 17:44:30 by BernardSpil)