Contributed by weerd on from the must-have-missed-starssl-then dept.
The project's name going forward is LibreSSL, and according to the (so far spartan) website, the first release will be included in OpenBSD 5.6, which is expected to be released November 1st, 2014.
The order of the day (or following weeks and months, more likely) is cleanup first, then, as it says on the website,
For other OS's
Multi OS support will happen once we have
We know you all want this tomorrow. We are working as fast as we can but our primary focus is good software that we trust to run ourselves. We don't want to break your heart.
- Flensed, refactored, rewritten, and fixed enough of the code so we have stable baseline that we trust and can be maintained/improved.
- The right Portability team in place.
- A Stable Commitment of Funding to support an increased development and porting effort.
Also just in: Ars Technica has a story about LibreSSL: OpenSSL code beyond repair, claims creator of “LibreSSL” fork, with a nice sampling of quotables from Theo de Raadt (deraadt@), while Ted Unangst (tedu@) has contributed a origins of libressl blog post and just told misc@ that FIPS mode is not coming back to LibreSSL..
(Comments are closed)
By Rich (62.232.9.62) on
Comments
By Anonymous Coward (188.126.223.162) on
"OpenSSL is based on SSLeay by Eric Andrew Young and Tim Hudson, development of which unofficially ended on December 17, 1998"
https://en.wikipedia.org/wiki/Openssl#History_of_the_OpenSSL_project
Comments
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
>
> "OpenSSL is based on SSLeay by Eric Andrew Young and Tim Hudson, development of which unofficially ended on December 17, 1998"
>
> https://en.wikipedia.org/wiki/Openssl#History_of_the_OpenSSL_project
>
I /just/ realized yesterday that "libeay" is based on an acronym for one of the author's names.
All these years trying to remember how that stupid libname is spelled and pronounced...
And yes, there is no official link between OpenBSD and OpenSSL. OpenBSD has a relationship with OpenSSL like any other downstream implementer: they used it, trusted it to a point, and contributed patches to upstream.
Comments
By @jdv (62.232.9.62) on
By Rich (62.232.9.62) on
"...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either
Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?
And I love the fact that I've been modded down by 5 people no less! For daring to ask a question!! What a heinous crime I have committed. It's lovely to see the OBSD team spirit is alive and well :)
Comments
By Anonymous Coward (91.9.214.118) on
>
> "...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either
>
> Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?
>
> And I love the fact that I've been modded down by 5 people no less! For daring to ask a question!! What a heinous crime I have committed. It's lovely to see the OBSD team spirit is alive and well :)
There's a lot of information on the Internet; perhaps you've heard of it.
Comments
By Rich (62.232.9.62) on
Comments
By Anonymous Coward (91.9.214.118) on
No, just the person who doesn't take the time to access the information to which he has access before bothering others to spoon-feed it to him. It's not always about you personally, just the shit you're pulling at that moment.
By Chris (50.71.129.10) on
Is stoning people that refuse to do basic research really an option? That changes things!
By phessler (phessler) on why in god's name am I wearing pants?
>
> "...wikinonesense.com..../" - Errr, nope - that doesn't answer my question either
>
> Thank you for not answering my question at all. Are you saying that it's not a reasonable question? I mean, the OSSL web page used to look exactly the OBSD web page, the name is suspiciously similar, and some of the same guys worked on both projects. So it is/isn't (?) part of OBSD?
>
I will simplify:
OpenSSL is NOT (repeat, NOT) from the OpenBSD project. OpenBSD is not responsible for any code in OpenSSL. Nobody from the OpenBSD project is or was part of the OpenSSL project.
OpenSSL was incorporated into the OpenBSD codebase, because OpenBSD used their crypto and ssl libraries.
Now, OpenBSD has forked the OpenSSL tree into LibReSSL, and is fixing it. OpenBSD is only responsible for code in LibReSSL.
Is this all clear now?
Comments
By Anonymous Coward (70.31.112.39) on
For anyone who looked it was clear before, I don't think the people that didn't bother looking are going to be any better informed now though.
I bet there are dozens of people arguing about how dumb it is that OpenBSD is forking their own code and making a big deal out of it.
By BL (85.24.209.88) on
You are confusing OpenSSL, which has no relation to OpenBSD, with the OpenBSD-driven project OpenSSH. It is the latter website (www.openssh.org) that looks very similar to www.openbsd.org.
By Anonymous Coward (152.77.159.23) on
Why also keep that SSL?
Comments
By Anonymous Coward (2003:56:2e26:a800:584e:1986:1464:e77f) on
>
> Why also keep that SSL?
lib ReSSL
By Anonymous Coward (188.126.223.162) on
True, we should also rename OpenBSD so we don't confuse people making them think we have something to do with OpenOffice, or basically anything that begins with Open.
Comments
By Anonymous Coward (152.77.159.23) on
>
> True, we should also rename OpenBSD so we don't confuse people making them think we have something to do with OpenOffice, or basically anything that begins with Open.
Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
Comments
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
> Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
>
Are you having a stroke?
Comments
By Anonymous Coward (37.160.62.123) on
> > Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
> >
> Are you having a stroke?
>
you funny lol
By Anonymous Coward (152.77.159.23) on
> > Ok, the libreoffice was far streched, but you never maybe noticed the continuity in openbsd, openssh, opencvs, openntpd, etc, while RMS professed the world libre as part of modern version of his manifesto. This naming reeks the troll.
> >
> Are you having a stroke?
>
From preteen trolls that probably run XP and never write a line of code? Hardly, but I guess this is what I get when trying to speak here.
By Anonymous Coward (130.185.136.244) on
>
> Why also keep that SSL?
OpenTLS was take, so they had to pick something different.
BSDTLS/BSDSSL doesn't make sense, because most of the code is still under the OpenSSL license.
So now you left with <SOMETHING>(SSL/TLS). LibreSSL is a just as good as anything else. Also most people won't care about the name anyway.
Comments
By Anonymous Coward (91.151.125.100) on
Open-OpenSSL?
Comments
By Anonymous Coward (2003:56:2e26:a800:584e:1986:1464:e77f) on
> Open-OpenSSL?
>
Any name incorporating "OpenSSL" is specifically disallowed by the OpenSSL copyright.
By Anonymous Coward (2601:6:51c0:f1:597a:37a6:4e71:3f88) on
Trolls will.
Everyone else will pass on the name and focus on the enhanced security of the code.
By Tualha (68.101.72.192) tualha@pobox.com on
Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
Tell you what. I will happily donate some money after they remove those idiocies. Not before.
Comments
By stsp (217.197.84.42) on
Comments
By Tualha (68.101.72.192) tualha@pobox.com on
Comments
By Paul Irofti (bulibuta) on gopher://sdf.lonestar.org/1/users/bulibuta
You are very confused. Go read-up on the OpenSSL origins.
Comments
By Tualha (68.101.72.192) tualha@pobox.com on
Comments
By henning (41.141.104.144) on
> ugliness. All it accomplishes is to make them look unprofessional and
> immature.
looks like we succeeded in annoying at least one web hipster.
couldn't care less wether that makes us look unprofessional and immature. you forgot the "to me" in that sentence anyway.
the code counts. period.
By vvim (unisoftdesign) on
>
Yeah, because it's so important to make yourself look pro and sucker the internet into using your crap code...
There's too many fakers who take themselves too seriously, dude. Chill out & hack. Stop wearing a tie and let your beard grow.
Comments
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
> >
>
> Yeah, because it's so important to make yourself look pro and sucker the internet into using your crap code...
>
> There's too many fakers who take themselves too seriously, dude. Chill out & hack. Stop wearing a tie and let your beard grow.
Or, grow a big mustache, wax it, and wear a bow-tie.
Or, side-burns and a cravat.
Wait, no. A goatee and a stylish scarf.
Really, just forget to shave for a few days and put on some clothes.
By Anonymous Coward (192.168.15.148) on
At least they're going one better than OpenSSL and actually offering to take away the horrible stuff :-)
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
If you see the blink tag, get a better browser. That tag is no longer part of any modern spec, and good browsers ignore it. If Comic Sans annoys you, change the CSS locally.
If you want better TLS on your platform, consider that "community" works both ways, and quality code isn't cheap.
Think about the for-profit behemoths that include this code in their products. Google and Apple have paid for stuff like this before. They will do it again, because it is good business.
"Free" doesn't mean "cheap."
Right now OpenBSD is simply updating its libssl. You don't have to care how that is happening, if you don't want to. If *you* want a port of this libssl to your platform, then someone is going to have to do that. And a TLS C library is not something that can just be grown by committee. You have to have smart people who know what they are doing. People like this should be paid for that work.
Or, you know, feel free to use OpenSSL forever. They might actually maintain it at some point again.
Comments
By Tualha (68.101.72.192) tualha@pobox.com on
Oh, I'm running the very latest Firefox. And sure enough, it blocks the blink tag -- unless the web designer goes to the trouble to add this:
> People like this should be paid for that work.
Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.
Comments
By jdv (216.16.224.222) jdv@clevermonkey.org on http://clvrmnky.org/
>
> Oh, I'm running the very latest Firefox. And sure enough, it blocks the blink tag -- unless the web designer goes to the trouble to add this:
>
Like I said, get a browser that works. I see no blink tags with FF anywhere. I don't care why, but it is a fact that blink can be disabled everywhere easily. Why are you even going there?
>
> People like this should be paid for that work.
>
> Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.
1. The design of a project web site has little or nothing to do with the project itself. (Other than advertisement and LibreSSL _doesn't need advertisement_)
2. Open Source is not magic fairy dust. This is a serious undertaking, and it is perfectly reasonable to ask for money for the OpenBSD Foundation for this or any other project. OpenBSD always asks for money. Always have. Always will.
3. It is also perfectly reasonable for you to not want to give anyone money.
But making some crack about the quality of the project web page being the deciding factor for you makes you look like a jerk, and your comments are being modded down appropriately.
Your priorities aren't straight. You'll want to see about that.
Will you benefit from the project once completed _in less than 6 months_? If not, stop worrying about HTML markup and CSS of a page that means nothing to you. Will you benefit from a port of the library eventually? Signs point to "yes", so do with that what you will.
It still has little to do with a web site that was designed to piss you off, and has succeeded. Do you want to be that easy to annoy?
Again, you can continue to use OpenSSL. They might even fix some bugs in it eventually. They are only a few years behind.
By who cares? (156.35.221.167) on
>
> Indeed, and as I indicated above, I'll be happy to donate to that cause, as soon as they stop acting like adolescents and their website stops looking like a 1995 Geocities page.
1. OpenBSD developers do not act like adolescents; they come from hackers culture. It may not fit on some tie-targeted business models, but to clever people what really matters are results and, trust me, this one will become the most serious SSL implementation.
2. I prefer the old 90's pre-Google, pre privacy violations, Internet to the current one. I prefer some simple design that works and carries information than pretty software GUIs and overdesigned web pages that carry bugs, wasting of resources and, sometimes, backdoors and "hidden gifts".
By Anonymous Coward (91.154.66.65) on
Better yet, disable web fonts, pick a font that is readable, and don't let pages override it. Just look at how many vulnerabilities freetype has had in it. Then look at the code -- do you really need to expose >100ksloc of complexity just so someone can shove his ugly designer fonts on you, while wasting CPU cycles and memory?
By phessler (phessler) on why in god's name am I wearing pants?
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
So, your biggest problem with fixing OpenSSL is /the font/, and not the fact /people are removing obscene security holes/ ? Are you sure you have your priorities in the correct order?
By Anonymous Coward (130.185.136.244) on
The OpenBSD developers have been using Comic Sans for their slides for years, nobody ever complained.
It's amazing how much focus how many people comment on the site, especially given the comment in the footer.
I guess humour is beyond a rather large number of people.
By Anonymous Coward (2001:67c:2e8:13:e5dd:849e:2c77:a942) on
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
Wow, you don't like Comic Sans? Why do you have it on your system then? It's not like they went through the trouble of making it a web downloadable font.
By Chris (142.161.27.175) on
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
The important question is: if they don't bow to your aesthetic demands, will you refuse to make use of the code when it finds its way into your favorite Linux distro?
By Anonymous Coward (166.48.188.146) on
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
Good to know the devs are more focussed on the code than the web page.
By Anonymous Coward (216.16.224.222) on
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
Here ya go: http://userstyles.org/styles/94722/comic-sans-everywhere
By Anonymous Coward (68.96.73.45) on
> This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags
>
> Wow, I'm in awe. Not only did they use Comic Sans and the blink tag, they're actually asking for money to make those misfeatures go away! Way to be taken seriously, folks. Way to serve the community.
>
> Tell you what. I will happily donate some money after they remove those idiocies. Not before.
>
By Anonymous Coward (37.5.0.146) on
I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.
I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.
Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)
I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)
Comments
By jdv (216.16.224.222) jdv@clevermonkey.org on h
>
> I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
>
> Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.
>
> I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.
>
> Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)
>
>
> I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)
Reading the commits, some of this work is being anticipated and discussed.
By phessler (phessler) on why in god's name am I wearing pants?
>
> I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
>
> Sure not everything can get dropped but including algorithms like chacha20 then would be an improvement.
>
> I exspect that libreSSL will take over the rule as becomming the most dominant SSL libary in some years. Like OpenSSH took over from SSH.
>
> Thus you don't need a IETF to define standards, YOU ARE the standard comite. :-)
>
>
> I know a cleanup will take time but it would be good if those who support this project actively keep in mind that it is YOU who makes the standards now. I am sure some known cryptographers would assist in more theoretical aspects. :-)
Step one is to remove broken things, not to change the API. Removing algorithms is a later step.
(for those that noticed some "algorithms" being removed earlier: those were hot-pluggable engines, that were either never enabled or required a 3rd party module. Some of them were terrifyingly insecure.)
By JimBob (140.158.252.22) on
>
It makes sense to remove RC4, MD5, and DES, at the very least. The attacks against RC4 are good enough to make anybody nervous about trusting it, and collision and preimage attacks against MD5 are pretty scary. The key length on DES is simply too short to be acceptable.
3DES is, to the best of everybody's knowledge, still... okay, if not perfect. There are good reasons to avoid it, of course: it's slow as hell, there are some theoretical attacks that would give any good cryptologist pause, and worrying about weak keys is an annoyance. It certainly shouldn't be the default algorithm (and probably ought to be disabled by default, actually). But if you're working with legacy systems, 3DES might be nice to have. At the same time, it's that much more code to maintain-- I can see both sides of the argument on this one, though I lean toward throwing it out.
DSA is a bit trickier. There are some pretty big known weaknesses in DSA-- for instance, if you don't pick the k-values in a sufficiently random way, security falls apart pretty quickly. Some folks speculate that this is a backdoor, but it isn't the "smoking gun" that we saw with DUAL_EC_DRBG.
I would argue that, even if DSA isn't backdoored, it's pretty brittle. If anybody can implement DSA securely, it will be Theo and crew. But, whether DSA is backdoored or not, there are other digital signature techniques (RSA being the most common) that aren't as easy to screw up and get wrong. Unfortunately, backdoor or no, DSA is in pretty wide use-- so disabling it could cause problems.
RC4, MD5, and DES desperately need to go bye-bye. Use of 3DES and DSA should be discouraged at a minimum, and might need to be deprecated entirely.
We'll see what the team does. For right now, I'm just glad to know that some security professionals with good track records are giving the OpenSSL code a thorough working-over.
By phessler (phessler) on why in god's name am I wearing pants?
>
> I think about RC4, MD5 (new certs get signed with sha...), DES, 3DES (does anybody seriously uses it in https for example), DSA (suspected backdoored by NSA)...
MD5 is mandatory for some protocols, so that cannot be removed.
RC4 is still useful for some things, but should be discouraged from general use.
I don't know of any standards mandating DSA, but they likely exist.
Regardless of our feelings about these algorithms, we will need to keep compatibility. Of course, we should also try to help them be retired from active use.
By sneaker (204.11.200.61) on
Comments
By Anonymous Coward (216.16.224.222) on
Please make your comments more red.
By Anonymous Coward (31.172.30.3) on
Do you even know what bikeshedding is?
By Anonymous Coward (68.96.73.45) on
http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6
oh nohz r u laughing nao noobz? pheer meh.
Comments
By Anonymous Coward (216.16.224.222) on
>
> http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6
>
> oh nohz r u laughing nao noobz? pheer meh.
Can we still make fun of you?
Comments
By Fredrik Ludl (85.24.249.64) fredrik@ludl.se on
> >
> > http://undeadly.org/cgi?action=article&sid=20140415093252&pid=6
> >
> > oh nohz r u laughing nao noobz? pheer meh.
>
> Can we still make fun of you?
>
I think the LibreSSL webpage is really cool. :)
Its informative, it tells me what has happened, and what will happen.
As a user I get the information I want/need.
The authors stylish approach is a clear way to express their intentions. :)
So if we leave the programmers in peace for a while, and donate! We will get a state of the art program with library in November. (We will see the progress in -current I presume.)
By chronicdiscord (70.31.112.39) on
I really think it would be great to see a Puff with a lucha libre theme should this child process do well.