Should oe-core add libressl as an alternative to openssl and other
OE SSL/TLS implementations?

We had a request from a customer to add LibreSSL so I was wondering
about the plans of the Yocto community and indeed of the larger Linux
distro community.

Libressl claims (aims?) to be  a more stable, secure TLS implementation
then OpenSSL. It was initially only for OpenBSD but it supports a
variety of platforms now:
   http://www.libressl.org/releases.html
The CVE history enthusiastically summarized on Wikipedia:
   https://en.wikipedia.org/wiki/LibreSSL
does indicate that libressl has been vulnerable to fewer CVEs than
openssl so far. I quickly reviewed:
   https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
but perhaps someone on the list has more direct experience, knowledge
and/or opinions of implementations of TLS? Note that the libressl devs
has stated that they have no interest in FIPS 140-2 certification:
   http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
so that could be a problem for some users.


Other than Arch, and openSUSE Factory build, it seems that no
major linux distro has added libressl:
   http://pkgs.org/search/libressl

An OE libressl recipe is not current indexed:

http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl

If I search more broadly:
   http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl

I see that the OE community does have recipes for:
  gnutls, nss, polarssl (now mbed TLS) and wolfssl.

So what do you think of libressl?

--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON, Canada, K2K 2W5

--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to