LibreSSL

LibreSSL is a free, open-source implementation of the Transport Layer Security protocol and a general-purpose cryptographic library. It was forked from the OpenSSL codebase in April 2014 by the OpenBSD project, primarily in response to the security concerns highlighted by the Heartbleed vulnerability. The project's explicit goals are to modernize the codebase, improve portability, and apply rigorous security practices inspired by the OpenBSD development model. It serves as the default TLS library in the OpenBSD operating system and is available for numerous other platforms.

History and development

The development of the library was initiated immediately following the disclosure of the Heartbleed bug in early April 2014. Members of the OpenBSD project, including Theo de Raadt and other core developers, concluded that the OpenSSL codebase had become too complex and difficult to audit effectively. They announced the fork on April 11, 2014, with the initial work involving the massive removal of obsolete code, support for outdated operating systems like Windows Vista, and unclear or unused features. This effort, often described as a "massive cleanup" or "deportation of bad code," was led by developers such as Bob Beck and Ted Unangst. The project's development is closely tied to the OpenBSD philosophy, emphasizing simplicity, correctness, and proactive security. Early challenges included ensuring the library could build and run on systems outside of OpenBSD, leading to the creation of a portable version that could be integrated into other Linux distributions and BSD variants.

Features and design

A primary design principle is the reduction of attack surface through extensive code removal and simplification. The developers eliminated large swathes of legacy code, including support for obsolete protocols like SSLv2 and SSLv3, and removed entire engines such as the FIPS-validated module. The build system was replaced with a more straightforward Automake and Autoconf process, moving away from OpenSSL's custom configuration scripts. It introduced new, memory-safe APIs like `libtls` to provide a simpler interface for application developers, reducing common programming errors. The library also emphasizes secure defaults and incorporates mitigations like ASLR and stack protection where supported by the underlying operating system. Cryptographic algorithms are provided via the LibreSSL crypto library, which is deliberately kept separate from the TLS protocol logic.

Compatibility and adoption

While initially focused on OpenBSD, a portable version was released to broaden its use. It is the default and often only TLS library in the OpenBSD base system and has seen adoption in other BSD projects, including FreeBSD, which offers it as an option in its ports collection. Several Linux distributions, such as Alpine Linux, Void Linux, and Gentoo Linux, provide packages or offer it as an alternative to OpenSSL. However, widespread adoption in major enterprise distributions like RHEL or Ubuntu has been limited due to concerns about application compatibility and the dominance of the OpenSSL ecosystem. Many large open-source projects, including OpenSSH, curl, and Apache HTTP Server, can be compiled against it, though they often default to OpenSSL for broader compatibility. The LibreSSL team maintains a compatibility layer to help some OpenSSL applications link against it with minimal changes.

Relationship to OpenSSL

The fork was a direct reaction to perceived issues in the OpenSSL project's development process and code quality. While both projects share a common ancestry, they have diverged significantly in philosophy and implementation. The LibreSSL project is more aggressive in removing features and legacy code, whereas OpenSSL prioritizes maintaining backward compatibility for a vast range of applications and configurations. This has led to tensions and public debates between developers from both camps, notably involving Theo de Raadt and members of the OpenSSL team. Despite the fork, the disclosure of critical vulnerabilities like Heartbleed led to increased funding and developer attention for OpenSSL from organizations like the Linux Foundation and technology companies such as Google, Microsoft, and IBM. Both projects implement the same core protocols, but they are now independent codebases with different release cycles, security reviews, and feature sets.

Security and audits

The project benefits from the security-focused development practices of the OpenBSD project, including thorough code review, canonicalization of code style, and the use of secure programming languages like C with additional safety constraints. It has undergone several formal security audits, including one funded by the Linux Foundation's Core Infrastructure Initiative in 2015, which identified issues that were subsequently addressed. The code is also subject to continuous review by the OpenBSD team and external researchers as part of the operating system's audit process. The developers have a policy of promptly removing support for cryptographic algorithms or protocol versions deemed weak, such as RC4 and MD5, ahead of many other implementations. While it has had its own vulnerabilities disclosed, such as those listed in the CVE system, its proponents argue that its simpler codebase makes auditing easier and flaws less likely compared to the more complex OpenSSL library.

Category:Cryptographic libraries Category:OpenBSD Category:Transport Layer Security Category:Free security software Category:Software forks