Contents
LibreSSL is a fork of OpenSSL created by OpenBSD. There is also a portable version which is available in the ports tree: security/libressl.
LibreSSL has removed a number of OpenSSL features which can result in build issues for software that relies on them.
LibreSSL also has functionality that is not available in other ssl libraries on FreeBSD
ChaCha20/Poly1305 cipher
Much of the detail in the original article has now been split into multiple sub-pages
How to use LibreSSL
You can use LibreSSL with all of your ports, or to replace OpenSSL in base.
After switching the OpenSSL provider you MUST rebuild all ports.
Problems you'll run into
After switching this will most likely hit you with cURL
- GSS-API: If you need this you must select one of the ports implementations, you cannot combine ports Open-/LibreSSL with base GSS-API
Secure Remote Password (TLS-SRP): Must be disabled
Ports
Using LibreSSL instead of OpenSSL has been integrated in the FreeBSD ports framework. Simply set one of the following in your /etc/make.conf (or corresponding make.conf for poudriere)
For the current stable branch
DEFAULT_VERSIONS+= ssl=libressl
For the current next branch
DEFAULT_VERSIONS+= ssl=libressl-devel
after setting this, rebuild all your ports.
Binary distribution
The standard packages from FreeBSD are still being built with OpenSSL from base and for some packages requiring a newer OpenSSL with OpenSSL from ports.
The following FreeBSD derivatives are known to use LibreSSL
Base
There are several ways to get a base system without OpenSSL, currently only from source, but soon using binary distributions as well!
Build world/kernel from source
The files and an svn-diff can be found on LibreBSD. You can use the files as an overlay to the /usr/src directory or apply the patch-set. The 11-stable patches are being maintained, the 10-stable patch is no longer maintained (as of 11.0-RC1). You will have to add the LibreSSL sources yourself.
The procedure is documented in the Github Repo so we'll not repeat that here.
Other sources
Currently there are no binary distributions for LibreSSL-in-base but this is to change with the release of FreeBSD 11.
FreeBSD 10
There's a complete repo for 10.3 from Attila Györffy containing a working version.
There's a HardenedBSD repo containing sources for 10-stable which adds a lot of additional security features.
Upcoming FreeBSD versions
There's a HardenedBSD repo for 11-stable (11.0-RC1) containing LibreSSL and the additional HardenedBSD security features.
The repo for the upgoming TrueOS 11 release which includes LibreSSL and is great for desktops and laptops.
LibreSSL versions
The OpenBSD project has multiple branches of LibreSSL. This chapter describes how the upstream project and the FreeBSD ports correlate.
Stable corresponds to security/libressl
Upcoming corresponds to security/libressl-devel
During the release cycle of OpenBSD, there are times when there's no "Upcoming" version. At these times, the security/libressl and security/libressl-devel ports will be the same version.
In ports
To stay in line with the upstream OpenBSD project, the ports tree will (as of version 2.2/2.3) contain the stable version and the next/snapshot version for early adopters.
Date |
stable |
devel |
2015-11-01 |
2.2 |
2.3 |
2016-05-01 |
2.3 |
2.4 |
As OpenBSD releases their next version of LibreSSL-Portable, the libressl-devel port will link to that next-stable version and you must rebuild all your ports.
Known problems/quirks
security/p5-openxpi: Claimed to not be fully functional by the developers
security/py-cryptography: Claimed to not be fully functional by the developers
Building world
When you build world when you have LibreSSL installed, some base utilities will link to LibreSSL. These you will have to update every time there are shared library versions are bumped
History
Version |
Release |
days |
libssl/crypto/tls |
LibreSSL 2.0 branch (OpenBSD 5.6) |
|||
2014-07-12 |
1 |
27/30/- |
|
2014-07-13 |
3 |
27/30/- |
|
2014-07-16 |
6 |
27/30/- |
|
2014-07-22 |
12 |
27/30/- |
|
2014-08-03 |
14 |
27/30/- |
|
2014-08-17 |
57 |
27/30/- |
|
LibreSSL 2.1 (OpenBSD 5.7) |
|||
2014-10-13 |
4 |
27/30/- |
|
2014-10-17 |
60 |
29/30/- |
|
2014-12-16 |
37 |
29/30/- |
|
2015-01-22 |
40 |
30/30/- |
|
2015-03-04 |
41 |
32/32/- |
|
2015-03-17 |
13 |
32/32/3 |
|
2015-03-19 |
2 |
32/32/3 |
|
2015-06-11 |
84 |
32/32/3 |
|
2015-10-15 |
126 |
32/32/3 |
|
2015-12-08 |
54 |
32/32/3 |
|
LibreSSL 2.2 (OpenBSD 5.8) |
|||
2015-06-11 |
84 |
32/33/3 |
|
2015-07-08 |
27 |
33/34/4 |
|
2015-08-06 |
29 |
35/35/6 |
|
2015-08-29 |
23 |
35/35/6 |
|
2015-10-15 |
47 |
35/35/6 |
|
2015-12-08 |
54 |
35/35/6 |
|
2016-01-28 |
86 |
35/35/6 |
|
2016-05-03 |
96 |
35/35/6 |
|
2016-05-31 |
28 |
35/35/6 |
|
2016-06-09 |
9 |
35/35/6 |
|
LibreSSL 2.3 (OpenBSD 5.9) |
|||
2015-09-23 |
29 |
36/37/9 |
|
2015-11-03 |
41 |
36/37/9 |
|
2016-01-28 |
86 |
37/38/10 |
|
2016-03-23 |
55 |
37/38/10 |
|
2016-05-03 |
41 |
37/38/10 |
|
2016-05-31 |
28 |
37/38/10 |
|
2016-06-09 |
9 |
37/38/10 |
|
2016-08-01 |
53 |
37/38/10 |
|
2016-09-27 |
57 |
37/38/10 |
|
2016-11-06 |
40 |
37/38/10 |
|
2017-02-01 |
87 |
37/38/10 |
|
LibreSSL 2.4 (OpenBSD 6.0) |
|||
2016-05-31 |
28 |
38/39/11 |
|
2016-06-09 |
9 |
38/39/11 |
|
2016-08-01 |
53 |
38/39/11 |
|
2016-09-27 |
57 |
38/39/11 |
|
2016-11-06 |
40 |
38/39/11 |
|
2017-02-01 |
87 |
38/39/11 |
|
LibreSSL 2.5 (OpenBSD 6.1) |
|||
2016-09-27 |
57 |
38/39/11 |
|
2017-02-01 |
127 |
41/43/15 |
|
2017-03-26 |
53 |
41/43/15 |
|
2017-04-11 |
16 |
41/43/15 |
|
2017-05-01 |
20 |
41/43/15 |
|
2017-07-12 |
72 |
41/43/15 |
|
LibreSSL 2.6 (OpenBSD 6.2) |
|||
2017-07-12 |
72 |
41/43/15 |
|
2017-09-06 |
56 |
42/44/16 |
|
2017-09-26 |
20 |
42/44/16 |
|
2017-11-06 |
41 |
42/44/16 |
|
2017-12-19 |
43 |
42/44/16 |
|
2018-06-13 |
176 |
42/44/16 |
|
LibreSSL 2.7 (OpenBSD 6.3) |
|||
2018-03-21 |
92 |
43/45/17 |
|
2018-03-23 |
2 |
43/45/17 |
|
2018-04-01 |
9 |
43/45/17 |
|
2018-05-05 |
34 |
43/45/17 |
|
2018-06-13 |
39 |
43/45/17 |
|
LibreSSL 2.8 (OpenBSD 6.4) |
|||
2018-08-06 |
54 |
43/45/17 |
|
2018-09-25 |
50 |
44/46/18 |
|
The detailed version history was moved to the LibreSSL history sub-page
Ports
Detailed information on specific ports can now be found in the sub-page.
Fixes for specific versions can be found in separate pages
LibreSSL 2.1 Initial import
- LibreSSL 2.2 SSLv3 disabled
LibreSSL 2.3 SSLv3 removed
LibreSSL 2.5 (opaque structures)
LibreSSL 2.6 (more opaque structures)
LibreSSL 2.7 (OpenSSL 1.1 API)
- ...
LibreSSL 3.5 (more OpenSSL 1.1 API and opaque structures)
The first build of all ports with LibreSSL for PC-BSD revealed 81 ports which require patching to work properly.
The build of all ports with LibreSSL 2.3, which has removed SSLv3, revealed 92 ports which require patching to work. This has been captured in the OpenSSL section as this fallout is considered equal to the fallout of building all ports with OpenSSL with SSLv3 disabled (security_openssl_UNSET=SSL3 / --no-ssl3).
Types of Failures
Note: Counts are not up-to-date
Problem |
Description |
Count |
PRs |
Unsolved |
|
Open |
Closed |
||||
uses RAND_egd methods that no longer exist in LibreSSL |
38 |
12 |
16 |
0 |
|
Uses deprecated des_ methods (replaced by DES_ methods) |
29 |
4 |
15 |
0 |
|
Uses SSLv2 methods that no longer exist in LibreSSL |
7 |
2 |
3 |
0 |
|
Wants SSL compression |
10 |
7 |
4 |
1 |
|
arc4rand |
conflict in FreeBSD/LibreSSL libs |
4 |
0 |
0 |
4 |
CMS |
Uses deprecated S/MIME methods |
3 |
0 |
3 |
0 |
Uses removed GOST methods |
2 |
0 |
0 |
2 |
|
PSK |
Uses PSK methods |
4 |
1 |
0 |
2 |
Uses SSLv3 methods that no longer exist in LibreSSL 2.3 |
85 |
10 |
0 |
5 |
|
Uses SHA-0 methods |
8 |
0 |
0 |
4 |
|
Other |
Other issues |
25 |
2 |
13 |
8 |
TOTAL |
204 |
30 |
51 |
33 |
|
The net-p2p/bitcoin and other virtual currency applications will/can not be fixed, they require bug-compatible OpenSSL libaries.
You can find examples of fixes in this GitHub repo, cross-reference with the PC-BSD 10.1.2 ports build chapter of the Ports sub-page.
Specific guidance for fixing the problems in the table above can be found here
LibreSSL (and OpenSSL) Security Vulnerabilities
Advisories prior to the initial release of LibreSSL (portable) are not included.
Severity |
LibreSSL |
OpenSSL |
Critical+ |
|
|
High |
0 |
5 |
Medium* |
16 |
31 |
Low |
7 |
12 |
Total |
19 |
36 |
* NVD Medium + OpenSSL Moderate
+ OpenSSL added Critical level in revised severity rating 2015-09-28
The list of vulnerabilities of OpenSSL and LibreSSL is kept up-to-date in the Wikipedia LibreSSL article
Links
Some more info
lib/25367 arc4random state is shared across forks
LibreSSL: More Than 30 Days Later (EuroBSDCon Paper)
EuroBSDCon 2014 presentation arc4random: 1996 to present