Crypto overhaul
Eric McCorkle
eric at metricspace.net
Sun Oct 29 15:18:00 UTC 2017
On 10/29/2017 09:46, bf wrote:
> On 10/29/17, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>> --------
>> In message <df46aaa5-13a9-2fc6-bcd2-d57d792800eb at metricspace.net>, Eric
>> McCorkl
>> e writes:
>>> On 10/28/2017 09:15, Poul-Henning Kamp wrote:
>>>> --------
>>>> In message <20171028123132.GF96685 at kduck.kaduk.org>, Benjamin Kaduk
>>>> writes:
>>>>
>>>>> I would say that the 1.1.x series is less bad, especially on the last
>>>>> count,
>>>>> but don't know how much you've looked at the differences in the new
>>>>> branch.
>>>>
>>>> While "less bad" is certainly a laudable goal for OpenSSL, I hope
>>>> FreeBSD has higher ambitions.
>>>>
>>>
>>> I'm curious about your thoughts on LibreSSL as a possible option.
>>
>> It retains the horrible APIs, so the potential improvement is finite.
>>
>
> OpenBSD started the task of making OpenSSL easier to use by adding
> things like libtls
>
> (see https://man.openbsd.org/tls_init )
>
> on top of their backwards-compatible libssl. There are similar
> efforts in other libraries like NaCl and its forks, such as libsodium
> ( cf. https://nacl.cr.yp.to/features.html and
> https://www.gitbook.com/book/jedisct1/libsodium/details ). Are these
> the kind of changes you are suggesting?
I know the LibreSSL roadmap includes more plans to improve the API
design to make it more usable.
Overall, I think LibreSSL is the best option, though there needs to be
some investigation into how easily it can be used for kernel and
boot-loader purposes. Things like libsodium are too narrow in their
focus, and BearSSL is too new.
Plus the fact that LibreSSL originates from one of the BSDs and has its
backing is a significant advantage, I think.
More information about the freebsd-security
mailing list