<<TableOfContents(2)>>

[[http://www.libressl.org|LibreSSL]] is a fork of [[OpenSSL]] created by OpenBSD. There is also a [[https://github.com/libressl-portable|portable version]] which is available in the ports tree: [[http://freshports.org/security/libressl|security/libressl]].

LibreSSL has [[LibreSSL/History#1|removed]] [[LibreSSL/History#2|a number of OpenSSL features]] which can result in build issues for software that relies on them.

LibreSSL also has functionality that is not available in other ssl libraries on FreeBSD
 * [[LibreSSL/ChaCha20|ChaCha20]]/Poly1305 cipher

Much of the detail in the original article has now been split into multiple sub-pages
 * [[LibreSSL/Ports|Ports]]
 * [[LibreSSL/Base|Base]]
 * [[LibreSSL/History|History]]

= How to use LibreSSL =

You can use LibreSSL with all of your [[#Ports|ports]], or to replace OpenSSL in [[#Base|base]].

After switching the OpenSSL provider you '''''MUST''''' rebuild all ports.

== Problems you'll run into ==

After switching this will most likely hit you with cURL
  * GSS-API: If you need this you must select one of the ports implementations, you cannot combine ports Open-/LibreSSL with base GSS-API
  * Secure Remote Password (TLS-SRP): ''Must'' be disabled

== Ports ==

Using LibreSSL instead of OpenSSL has been integrated in the FreeBSD ports framework. Simply set one of the following in your /etc/make.conf (or corresponding make.conf for poudriere)

For the current [[#Stable|stable]] branch
{{{
DEFAULT_VERSIONS+= ssl=libressl
}}} 

For the current [[#Next|next]] branch
{{{
DEFAULT_VERSIONS+= ssl=libressl-devel
}}}

after setting this, rebuild all your ports.

=== Binary distribution ===

The standard packages from FreeBSD are still being built with OpenSSL from base and for some packages requiring a newer OpenSSL with OpenSSL from ports.

The following FreeBSD derivatives are known to use LibreSSL
  1. [[https://trueos.org|TrueOS]] by default since TrueOS 10.1.2<<FootNote(TrueOS® is a user friendly desktop Operating System based on FreeBSD)>>
  2. [[https://wiki.opnsense.org/index.php/LibreSSL|OPNsense]] available since OPNsense 15.7<<FootNote(OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.)>>

== Base ==

There are several ways to get a base system without OpenSSL, currently only from source, but soon using binary distributions as well!

=== Build world/kernel from source ===

The files and an svn-diff can be found on [[https://github.com/Sp1l/LibreBSD|LibreBSD]]. You can use the files as an overlay to the /usr/src directory or apply the patch-set. The 11-stable patches are being maintained, the 10-stable patch is no longer maintained (as of 11.0-RC1). You will have to add the LibreSSL sources yourself.

The procedure is documented in the Github Repo so we'll not repeat that here.

=== Other sources ===

Currently there are no binary distributions for LibreSSL-in-base but this is to change with the release of FreeBSD 11.

==== FreeBSD 10  ====

There's a complete repo for [[https://github.com/attilagyorffy/freebsd/tree/10.3-libressl|10.3 from Attila Györffy]] containing a working version.

There's a [[https://github.com/HardenedBSD/hardenedBSD/tree/hardened/10-stable/master-libressl|HardenedBSD repo containing sources for 10-stable]] which adds a lot of additional security features.

=== Upcoming FreeBSD versions ===

There's a [[https://github.com/HardenedBSD/hardenedBSD/tree/hardened/11-stable/master-libressl|HardenedBSD repo for 11-stable (11.0-RC1)]] containing LibreSSL and the additional HardenedBSD security features.

The [[https://github.com/TrueOS/freebsd/tree/drm-next-4.7|repo for the upgoming TrueOS 11 release]] which includes LibreSSL and is great for desktops and laptops.

== LibreSSL versions ==

The OpenBSD project has multiple branches of LibreSSL. This chapter describes how the upstream project and the FreeBSD ports correlate.

'''Stable''' corresponds to `security/libressl`<<BR>>
'''Upcoming''' corresponds to `security/libressl-devel`

During the release cycle of OpenBSD, there are times when there's no "Upcoming" version. At these times, the `security/libressl` and `security/libressl-devel` ports will be the same version.

=== In ports ===

To stay in line with the upstream OpenBSD project, the ports tree will (as of version 2.2/2.3) contain the stable version and the next/snapshot version for early adopters.
|| Date || stable || devel ||
|| 2015-11-01 || 2.2 || 2.3 ||
|| 2016-05-01 || 2.3 || 2.4 ||

As OpenBSD releases their next version of LibreSSL-Portable, the libressl-devel port will link to that next-stable version and you must rebuild all your ports.

== Known problems/quirks ==

security/p5-openxpi: Claimed to not be fully functional by the developers<<BR>>
security/py-cryptography: Claimed to not be fully functional by the developers

=== Building world ===
When you build world when you have LibreSSL installed, some base utilities will link to LibreSSL. These you will have to update every time there are shared library versions are bumped

= History =

|| '''Version''' || '''Release''' || days || libssl/crypto/tls ||
||<:-4> LibreSSL 2.0 branch (OpenBSD 5.6) ||
|| [[LibreSSL/History#LibreSSL_2.0.0|2.0.0]] || 2014-07-12 || 1 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.0.1|2.0.1]] || 2014-07-13 || 3 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.0.2|2.0.2]] || 2014-07-16 || 6 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.0.3|2.0.3]] || 2014-07-22 || 12 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.0.4|2.0.4]] || 2014-08-03 || 14 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.0.5|2.0.5]] || 2014-08-17 || 57 || 27/30/- ||
||<:-4> LibreSSL 2.1 (OpenBSD 5.7) ||
|| [[LibreSSL/History#LibreSSL_2.1.0|2.1.0]] || 2014-10-13 || 4 || 27/30/- ||
|| [[LibreSSL/History#LibreSSL_2.1.1|2.1.1]] || 2014-10-17 || 60 || 29/30/- ||
|| [[LibreSSL/History#LibreSSL_2.1.2|2.1.2]] || 2014-12-16 || 37 || 29/30/- ||
|| [[LibreSSL/History#LibreSSL_2.1.3|2.1.3]] || 2015-01-22 || 40 || 30/30/- ||
|| [[LibreSSL/History#LibreSSL_2.1.4|2.1.4]] || 2015-03-04 || 41 || 32/32/- ||
|| [[LibreSSL/History#LibreSSL_2.1.5|2.1.5]] || 2015-03-17 || 13 || 32/32/3 ||
|| [[LibreSSL/History#LibreSSL_2.1.6|2.1.6]] || 2015-03-19 || 2 || 32/32/3 ||
|| [[LibreSSL/History#LibreSSL_2.1.7|2.1.7]] || 2015-06-11 || 84 || 32/32/3 ||
|| [[LibreSSL/History#LibreSSL_2.1.8|2.1.8]] || 2015-10-15 || 126 || 32/32/3 ||
|| [[LibreSSL/History#LibreSSL_2.1.9|2.1.9]] || 2015-12-08 || 54 || 32/32/3 ||
||<:-4> LibreSSL 2.2 (OpenBSD 5.8) ||
|| [[LibreSSL/History#LibreSSL_2.2.0|2.2.0]] || 2015-06-11 || 84 || 32/33/3 ||
|| [[LibreSSL/History#LibreSSL_2.2.1|2.2.1]] || 2015-07-08 || 27 || 33/34/4 ||
|| [[LibreSSL/History#LibreSSL_2.2.2|2.2.2]] || 2015-08-06 || 29 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.3|2.2.3]] || 2015-08-29 || 23 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.4|2.2.4]] || 2015-10-15 || 47 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.5|2.2.5]] || 2015-12-08 || 54 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.6|2.2.6]] || 2016-01-28 || 86 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.7|2.2.7]] || 2016-05-03 || 96 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.8|2.2.8]] || 2016-05-31 || 28 || 35/35/6 ||
|| [[LibreSSL/History#LibreSSL_2.2.9|2.2.9]] || 2016-06-09 || 9 || 35/35/6 ||
||<:-4> LibreSSL 2.3 (OpenBSD 5.9) ||
|| [[LibreSSL/History#LibreSSL_2.3.0|2.3.0]] || 2015-09-23 || 29 || 36/37/9 ||
|| [[LibreSSL/History#LibreSSL_2.3.1|2.3.1]] || 2015-11-03 || 41 || 36/37/9 ||
|| [[LibreSSL/History#LibreSSL_2.3.2|2.3.2]] || 2016-01-28 || 86 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.3|2.3.3]] || 2016-03-23 || 55 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.4|2.3.4]] || 2016-05-03 || 41 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.5|2.3.5]] || 2016-05-31 || 28 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.6|2.3.6]] || 2016-06-09 || 9 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.7|2.3.7]] || 2016-08-01 || 53 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.8|2.3.8]] || 2016-09-27 || 57 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.9|2.3.9]] || 2016-11-06 || 40 || 37/38/10 ||
|| [[LibreSSL/History#LibreSSL_2.3.10|2.3.10]] || 2017-02-01 || 87 || 37/38/10 ||
||<:-4> LibreSSL 2.4 (OpenBSD 6.0) ||
|| [[LibreSSL/History#LibreSSL_2.4.0|2.4.0]] || 2016-05-31 || 28 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.4.1|2.4.1]] || 2016-06-09 || 9 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.4.2|2.4.2]] || 2016-08-01 || 53 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.4.3|2.4.3]] || 2016-09-27 || 57 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.4.4|2.4.4]] || 2016-11-06 || 40 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.4.5|2.4.5]] || 2017-02-01 || 87 || 38/39/11 ||
||<:-4> LibreSSL 2.5 (OpenBSD 6.1) ||
|| [[LibreSSL/History#LibreSSL_2.5.0|2.5.0]] || 2016-09-27 || 57 || 38/39/11 ||
|| [[LibreSSL/History#LibreSSL_2.5.1|2.5.1]] || 2017-02-01 || 127 || 41/43/15 ||
|| [[LibreSSL/History#LibreSSL_2.5.2|2.5.2]] || 2017-03-26 || 53 || 41/43/15 ||
|| [[LibreSSL/History#LibreSSL_2.5.3|2.5.3]] || 2017-04-11 || 16 || 41/43/15 ||
|| [[LibreSSL/History#LibreSSL_2.5.4|2.5.4]] || 2017-05-01 || 20 || 41/43/15 ||
|| [[LibreSSL/History#LibreSSL_2.5.5|2.5.5]] || 2017-07-12 || 72 || 41/43/15 ||
||<:-4> LibreSSL 2.6 (OpenBSD 6.2) ||
|| [[LibreSSL/History#LibreSSL_2.6.0|2.6.0]] || 2017-07-12 || 72 || 41/43/15 ||
|| [[LibreSSL/History#LibreSSL_2.6.1|2.6.1]] || 2017-09-06 || 56 || 42/44/16 ||
|| [[LibreSSL/History#LibreSSL_2.6.2|2.6.2]] || 2017-09-26 || 20 || 42/44/16 ||
|| [[LibreSSL/History#LibreSSL_2.6.3|2.6.3]] || 2017-11-06 || 41 || 42/44/16 ||
|| [[LibreSSL/History#LibreSSL_2.6.4|2.6.4]] || 2017-12-19 || 43 || 42/44/16 ||
|| [[LibreSSL/History#LibreSSL_2.6.5|2.6.5]] || 2018-06-13 || 176 || 42/44/16 ||
||<:-4> LibreSSL 2.7 (OpenBSD 6.3) ||
|| [[LibreSSL/History#LibreSSL_2.7.0|2.7.0]] || 2018-03-21 || 92 || 43/45/17 ||
|| [[LibreSSL/History#LibreSSL_2.7.1|2.7.1]] || 2018-03-23 || 2 || 43/45/17 ||
|| [[LibreSSL/History#LibreSSL_2.7.2|2.7.2]] || 2018-04-01 || 9 || 43/45/17 ||
|| [[LibreSSL/History#LibreSSL_2.7.3|2.7.3]] || 2018-05-05 || 34 || 43/45/17 ||
|| [[LibreSSL/History#LibreSSL_2.7.4|2.7.4]] || 2018-06-13 || 39 || 43/45/17 ||
||<:-4> LibreSSL 2.8 (OpenBSD 6.4) ||
|| [[LibreSSL/History#LibreSSL_2.8.0|2.8.0]] || 2018-08-06 || 54 || 43/45/17 ||
|| [[LibreSSL/History#LibreSSL_2.8.1|2.8.1]] || 2018-09-25 || 50 || 44/46/18 ||

The detailed version history was moved to the [[LibreSSL/History|LibreSSL history sub-page]]

= Ports =

Detailed information on specific ports can now be found in the [[LibreSSL/Ports|sub-page]].<<BR>>
Fixes for specific versions can be found in separate pages

 * [[LibreSSL/Ports#PC-BSD_10.1.2_ports_build|LibreSSL 2.1]] Initial import
 * LibreSSL 2.2 SSLv3 disabled
 * [[LibreSSL/Ports#SSLv3_.2F_SHA-0_removal|LibreSSL 2.3]] SSLv3 removed
 * [[LibreSSL/2.5|LibreSSL 2.5]] (opaque structures)
 * [[LibreSSL/2.6|LibreSSL 2.6]] (more opaque structures)
 * [[LibreSSL/2.7|LibreSSL 2.7]] (OpenSSL 1.1 API)
 * ...
 * [[LibreSSL/3.5|LibreSSL 3.5]] (more OpenSSL 1.1 API and opaque structures)

The first build of all ports with LibreSSL for [[https://pcbsd.org|PC-BSD]] revealed 81 ports which require patching to work properly.

The build of all ports with LibreSSL 2.3, which has removed SSLv3, [[OpenSSL/No-SSLv3|revealed 92 ports]] which require patching to work. This has been captured in the [[OpenSSL]] section as this fallout is considered equal to the fallout of building all ports with OpenSSL with SSLv3 disabled (security_openssl_UNSET=SSL3 / --no-ssl3).

== Types of Failures ==

'''Note: Counts are not up-to-date'''
||<^|2> '''Problem''' ||<^|2> '''Description''' ||<^|2> '''Count''' ||<-2:> '''PRs''' ||<^|2> '''Unsolved''' ||
|| Open || Closed ||
|| '''[[LibreSSL/PatchingPorts#EGD|EGD]]''' || uses RAND_egd methods that no longer exist in LibreSSL  ||<)> 38 ||<)> 12 ||<)> 16 ||<)> 0 ||
|| '''[[LibreSSL/PatchingPorts#Deprecated_des_ methods|DES]]''' || Uses deprecated des_ methods (replaced by DES_ methods) ||<)> 29 ||<)> 4 ||<)> 15 ||<)> 0 ||
|| '''[[LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures|SSLv2]]''' || Uses SSLv2 methods that no longer exist in LibreSSL  ||<)> 7 ||<)> 2 ||<)> 3 ||<)> 0 ||
|| '''[[LibreSSL/PatchingPorts#Uses_removed_Compression|COMP]]''' || Wants SSL compression ||<)> 10 ||<)> 7 ||<)> 4 ||<)> 1 ||
|| '''arc4rand''' || conflict in FreeBSD/LibreSSL libs ||<)> 4 ||<)> 0 ||<)> 0 ||<)> 4 ||
|| '''CMS'''   || Uses deprecated S/MIME methods ||<)> 3 ||<)> 0 ||<)> 3 ||<)> 0 ||
|| '''[[LibreSSL/PatchingPorts#GOST_engine|GOST]]'''  || Uses removed GOST methods ||<)> 2 ||<)> 0 ||<)> 0 ||<)> 2 ||
|| '''PSK'''   || Uses PSK methods ||<)> 4  ||<)> 1  ||<)> 0 ||<)>  2 ||
|| '''[[LibreSSL/PatchingPorts#SSLv2.2FSSLv3_method_failures|SSLv3]]''' || Uses SSLv3 methods that no longer exist in LibreSSL 2.3 ||<)> 85 ||<)> 10 ||<)> 0 ||<)> 5 ||
|| '''[[LibreSSL/PatchingPorts#SHA-0|SHA-0]]''' || Uses SHA-0 methods ||<)> 8  ||<)> 0  ||<)> 0 ||<)>  4 ||
|| '''Other''' || Other issues     ||<)> 25 ||<)> 2 ||<)> 13 ||<)>  8 ||
||<-2> '''TOTAL'''                 ||<)> 204 ||<)> 30 ||<)> 51 ||<)> 33 ||
The net-p2p/bitcoin and other virtual currency applications will/can not be fixed, they require bug-compatible OpenSSL libaries.

You can find examples of fixes in [[https://github.com/Sp1l/ports|this GitHub repo]], cross-reference with the [[LibreSSL/Ports#PC-BSD 10.1.2 ports build|PC-BSD 10.1.2 ports build]] chapter of the Ports sub-page.

Specific guidance for fixing the problems in the table above can be found [[LibreSSL/PatchingPorts|here]]

= LibreSSL (and OpenSSL) Security Vulnerabilities =

Advisories prior to the initial release of LibreSSL (portable) are not included.

||<:> '''Severity''' ||<:> '''LibreSSL''' ||<:> '''OpenSSL''' ||
|| Critical^+^||<)>    ||<)>    ||
|| High       ||<)>  0 ||<)>  5 ||
|| Medium^*^  ||<)> 16 ||<)> 31 ||
|| Low        ||<)>  7 ||<)> 12 ||
|| Total      ||<)> 19 ||<)> 36 ||

^*^ NVD Medium + OpenSSL Moderate<<BR>>
^+^ OpenSSL added Critical level in [[https://www.openssl.org/policies/secpolicy.html|revised severity rating]] 2015-09-28

The list of vulnerabilities of OpenSSL and LibreSSL is kept up-to-date in the 
[[https://en.wikipedia.org/wiki/LibreSSL#Security_and_vulnerabilities|Wikipedia LibreSSL article]]

= Links =
Some more info

 * [[https://svnweb.freebsd.org/base?view=revision&revision=267379|Cumulative update to arc4random(3)]]
 * [[http://thread.gmane.org/gmane.os.netbsd.bugs/10114|lib/25367]] arc4random state is shared across forks
 * [[http://www.openbsd.org/papers/eurobsdcon2014-libressl.html|LibreSSL: More Than 30 Days Later]] (EuroBSDCon Paper)
 * [[http://www.openbsd.org/papers/eurobsdcon2014_arc4random/index.html|EuroBSDCon 2014 presentation]] arc4random: 1996 to present

----
CategoryProject