Note: As of FreeBSD 10.3-RC1 this is a working proof of concept for the RELEASE branch.

FreeBSD 10.3 Release

The 10.3 version is based on the work done in HardenedBSD on the master branch (FreeBSD CURRENT). The question there was if we could devise a structure that allows building with LibreSSL whilst not replacing OpenSSL. Replacing OpenSSL causes issues with maintaining a forked repo.

LibreBSD

**Before you ask:** This will not be a fork! I intend to maintain this as a patch-set for the most recent release of FreeBSD and will maintain it for HardenedBSD as well.

Early March 2016 I managed to get LibreSSL to build, and all binaries to link to it on HardenedBSD. The patches were created on a derivative of the -to be released later this year- FreeBSD 11. See my earlier blog-posts for more details Part I and Part II.

I had tried to replace OpenSSL in FreeBSD 10 when I was at OpenBSD's LibreSSL hackathon in VaraĹždin (Croatia) last year but hadn't managed to complete the project. The release of LibreSSL 2.3 also removed SSLv3 so my attention was on fixing fallout from that removal. 'Evidence' of that work and the patches can be found in the No-SSLv3 wiki article. As it turned out this time, it wasn't extremely difficult to do so I thought it wouldn't take too much time to do this for FreeBSD 10 as well. FreeBSD 10.3 is nearing its completion, so where better to start than with the current first Release Candidate!

**Feedback appreciated:** I haven't replayed all the steps here, do let me know where I've hidden my typos and mistakes! (email, Twitter, GitHub, Facebook, avionary)

The 'recipe'

**You'll need to select the correct branch for your FreeBSD version**

  1. Download the LibreSSL 2.3 tarball

    • Extract this tarball into /usr/src/crypto and rename the directory from libressl-2.3.3 to libressl

  2. Apply the patch-set from my GitHub repo

  3. Add WITH_LIBRESSL=yes to /etc/src.conf
  4. Rebuild and install your kernel and world (see the FreeBSD handbook chapter for detail)

  5. Reboot

Commands

As commands (assuming you already have checked out FreeBSD 10.3 into /usr/src)

   1 cd ~
   2 mkdir download && cd download
   3 fetch http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.3.tar.gz
   4 fetch https://github.com/Sp1l/LibreBSD/raw/FreeBSD-10.3/patchset/patchset
   5 cd /usr/src/crypto
   6 tar xf ~/download/libressl-2.3.3.tar.gz
   7 mv libressl-2.3.3 libressl
   8 cd /usr/src
   9 patch < ~/download/patchset
  10 echo 'WITH_LIBRESSL=yes' >> /etc/src.conf
  11 make buildworld && make buildkernel && make installkernel && make installworld
  12 reboot

Line 3: You should verify the tarball using signify or gpg. Line 11: This should take quite a lot of time (probably hours) and is NOT the canonical way to do this. See the handbook chapter on rebuilding your system for a complete description!

Now that was easy wasn't it?

Update your ports

After upgrading the kernel and world you'll need to rebuild all ports. If before you had defined

   1 WITH_OPENSSL_PORT= yes
   2 OPENSSL_PORT=   security/libressl-devel

you can now remove these bits, but then you should rebuild world and kernel after every update of LibreSSL. Unless the shared library version -and thus the ABI- stay the same.

Updating LibreSSL

If LibreSSL receives an update that has the same shared library version, you can use my guidance from the FreeBSD wiki after downloading/extracting the latest LibreSSL tarball as discussed in the previous paragraph.

   1 cd /usr/src/secure/lib/libcrypto
   2 make obj && make depend && make includes && make
   3 make install
   4 cd /usr/src/secure/lib/libssl
   5 make clean && make depend && make includes && make
   6 make install
   7 cd /usr/src/secure/usr.bin/openssl
   8 make clean && make
   9 make install

The detail

Next to the patchset, I've also added all the files that were changed to my GitHub repo. The files are in their original location so you can use these as an overlay for your /usr/src.

LibreSSL patches

FreeBSD 11 changed quite a lot in the build framework, so I had to adapt the patches for libcrypto, libssl and openssl accordingly. This made the build for the openssl binary fail, so I had to change

   1 LIBADD+= crypto ssl

into

   1 DPADD=  ${LIBSSL} ${LIBCRYPTO}
   2 LDADD=  -lssl -lcrypto

The bulk of the patches I created for HardenedBSD just worked just fine on 10.3

base software patches

Most of the patches that I created for HardenedBSD applied cleanly.

  1. The patches for libtelnet and ppp worked fine.

  2. The wpa patches are not required, in 10.3 there's a much older version that doesn't have all the OpenSSL version checks.

  3. The heimdal patches I've not yet tested but these patches.

FreeBSD CURRENT

AKA HEAD, master, 11, ...

The original patch set was created for HardenedBSD for their playground/master branch.

Early March 2016 I managed to get LibreSSL to build, and all binaries to link to it on HardenedBSD. The patches were created on a derivative of the -to be released later this year- FreeBSD 11. See my earlier blog-posts for more details Part I and Part II.

The build system for FreeBSD 11 is slightly different from the 10 branch. All of the resources you need can be found on the HardenedBSD-playground repo in the hardened/current/libressl branch.

recipe

The recipe doesn't differ from the recipe for 10.3 but you'll need a different patch-set.

TODO

  1. Create a branch in the LibreBSD repo for FreeBSD current.

  2. Create a patch-set for vanilla FreeBSD head in the LibreBSD repository

Historical information

Starting point

Base programs/libraries known to link with LibreSSL when installed as a port

Software linking to OpenSSL libs in base

  1. ldns -> replace with ports' dns/ldns

  2. pkg -> replace with ports' ports-mgmt/pkg

  3. svnlite -> replace with ports' devel/subversion

  4. libfetch -> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191951

  5. bsdinstall
  6. iscsi
  7. ppp (also relies on deprecated des_ functions)
  8. bsdmp (not in 10.2?)

bsdx' patches here http://www.egr.msu.edu/~mcdouga9/nossl-patches/

Make ssl/crypto in base private

patch Pre-req patch for pkg

Hackathon build

Really, really experimental!

  1. Grab the tarball from github/libressl-portable/openbsd (NOT the portable bits!)
  2. Hack the secure/lib/libcrypto/Makefile (align with OpenBSD's lib/libcrypto/Makefile)

LibreSSL/Base (last edited 2016-03-23T12:27:18+0000 by BernardSpil)