Re: LibreSSL and OpenSSL and *SSL
> On Feb 16 20:15:04, notificati...@github.com wrote: > > OpenSSL was once undersupported because they didn't have funds > > to have full time staff doing development and maintenance. > > That ended a long time ago after Heartbleed. > > The project is now fully funded and has excellent people working on it. https://marc.info/?l=openbsd-misc=151974573718360=2 > Now we get to the real thing: LibreSSL is better. > > For those who actually care: please do watch the original > talks and slides about why LibreSSL even exists: > > https://www.youtube.com/watch?v=GnBbhXBDmwU > https://www.openbsd.org/papers/bsdcan14-libressl/ > > https://www.youtube.com/watch?v=WFMYeMNCcSY > https://www.openbsd.org/papers/eurobsdcon2014-libressl.html > > Yes, that's almost four years ago. So how much of the > attrocities mentioned in the above have been fixed? > Does it still use its own OPENSSL_malloc() that never frees? > Does it still use its own OPENSSL_strfoo() that is almost, > but not quite, indetical to the usual, well defined strfoo(3)? > Has the depth of the #ifdef/#ifndef maze dropped from 17? > Are the security vulnerabilities still rotting in the bug DB for years? > Is it still impossible to enter the codebase from outside > without untangling it for weeks? > > The LibreSSL developers state explicitly that heartbleed > was not why they started their fork. It was things like these. > https://www.tedunangst.com/flak/post/origins-of-libressl
Re: LibreSSL and OpenSSL and *SSL
On Feb 21 21:21:21, h...@stare.cz wrote: > While it's true that the two version are not completely compatible, > in e.g. the opusfile port that started this, the incompatibilty > is completely artificial. > > Opus is an audio codec - why does it need to link with -lssl? > It wants to play remote audio files, and for that it might need > to make a secure connection. That's a very basic thing which should > not depend on this or that version of this or that implementation. > > The noncompatibility is tests for OPENSSL_VERSION_NUMBER<0x10002000L etc > that already assume that OPENSSL is the only implementation. The patch > is trivial: add defined(LIBRESSL_VERSION_NUMBER) in 11 places. > > Obviously, I have not studied all the ports that depend on OpenSSL now, > and I don't doubt that many of them depend on *SSL in a nontrvial way. > But I would be willing to bet that in a lot of cases, the noncompatibilty > between versions is similarly artificial: upstream simply did not take > LibreSSL into consideration (yet). Example: www/lynx The latest release (which is the release in MP) is 2.8.8. It was released in February 2014, before LibreSSL existed. Does it "support" LibreSSL? Yes it does: with LibreSSL installed and with "depends_lib-append path:lib/libssl.dylib:openssl" it will compile against the installed LibreSSL, and works just fine. /opt/local/bin/lynx: /opt/local/lib/libidn.11.dylib /opt/local/lib/libncurses.6.dylib /opt/local/lib/libssl.43.dylib /opt/local/lib/libcrypto.41.dylib /usr/lib/libSystem.B.dylib /opt/local/lib/libintl.8.dylib /opt/local/lib/libiconv.2.dylib Now, this is a web browser. How much more involved can SSL usage get? Yet it just works. I mean this as an example of showing that the OpenSSL/LibreSSL "conflict" is largely avoidable. Jan
Re: LibreSSL and OpenSSL and *SSL
On Feb 21 16:05:41, h...@stare.cz wrote: > -rwxr-xr-x 1 root wheel 392912 Dec 1 20:39 /usr/lib/libssl.0.9.7.dylib > -rwxr-xr-x 1 root wheel 630144 Dec 1 20:38 /usr/lib/libssl.0.9.8.dylib > -rw-r--r-- 1 root wheel 947104 Dec 1 20:38 /usr/lib/libssl.35.dylib > -rw-r--r-- 1 root wheel 890800 Dec 1 20:39 /usr/lib/libssl.43.dylib Is this the way MP could install both as well? Tweak the names so that one is distinguishable from the other? Jan
Re: LibreSSL and OpenSSL and *SSL
On Feb 21 16:05:41, h...@stare.cz wrote: > First things first: the newer releases of MacOS (10.13.2 here) > already provide various implementations of crypto/ssl/tls, > including OpenSSL, LibreSSL and (Google's) BoringSSL: > > hans@fitbook:~$ ls -l /usr/lib/*ssl* > -rwxr-xr-x 1 root wheel 1236144 Jan 19 09:32 /usr/lib/libboringssl.dylib > -rwxr-xr-x 1 root wheel 392912 Dec1 20:39 > /usr/lib/libssl.0.9.7.dylib > -rwxr-xr-x 1 root wheel 630144 Dec1 20:38 > /usr/lib/libssl.0.9.8.dylib > -rw-r--r-- 1 root wheel 947104 Dec1 20:38 /usr/lib/libssl.35.dylib > -rw-r--r-- 1 root wheel 890800 Dec1 20:39 /usr/lib/libssl.43.dylib > lrwxr-xr-x 1 root wheel 15 Dec 10 11:39 /usr/lib/libssl.dylib -> > libssl.35.dylib > > hans@fitbook:~$ ls -l /usr/lib/*tls* > -rwxr-xr-x 1 root wheel 287408 Dec 1 20:39 /usr/lib/libcoretls.dylib > -rwxr-xr-x 1 root wheel 60464 Dec 1 20:39 > /usr/lib/libcoretls_cfhelpers.dylib > -rw-r--r-- 1 root wheel 159264 Dec 1 20:39 /usr/lib/libtls.15.dylib > -rw-r--r-- 1 root wheel 92032 Dec 1 20:39 /usr/lib/libtls.6.dylib > lrwxr-xr-x 1 root wheel 14 Dec 10 11:39 /usr/lib/libtls.dylib -> > libtls.6.dylib > > hans@fitbook:~$ ls -l /usr/lib/*crypto* > -rwxr-xr-x 1 root wheel13520 Jan 19 09:32 /usr/lib/libapple_crypto.dylib > -rwxr-xr-x 1 root wheel 2023584 Dec1 20:39 > /usr/lib/libcrypto.0.9.7.dylib > -rwxr-xr-x 1 root wheel 2599488 Dec1 20:38 > /usr/lib/libcrypto.0.9.8.dylib > -rw-r--r-- 1 root wheel 4228016 Dec1 20:39 > /usr/lib/libcrypto.35.dylib > -rw-r--r-- 1 root wheel 4274800 Dec1 20:39 > /usr/lib/libcrypto.41.dylib > lrwxr-xr-x 1 root wheel 18 Dec 10 11:39 /usr/lib/libcrypto.dylib -> > libcrypto.35.dylib > lrwxr-xr-x 1 root wheel 54 Dec 10 11:39 /usr/lib/libk5crypto.dylib -> > /System/Library/Frameworks/Kerberos.framework/Kerberos > > > The default SSL implementation is /usr/lib/libssl.dylib -> libssl.35.dylib, > the base MacOS binaries are compiled against (wait for it) LibreSSL, > > hans@fitbook:~$ /usr/bin/curl --version > curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 > zlib/1.2.11 nghttp2/1.24.0 > Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps > pop3 pop3s rtsp smb smbs smtp smtps telnet tftp > Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB > SSL libz HTTP2 UnixSockets HTTPS-proxy > Also, $ /usr/bin/openssl OpenSSL> version LibreSSL 2.2.7 > and if you link with -lssl, you are using LibreSSL: > > hans@fitbook$ cc -o prog prog.c -lssl > hans@fitbook$ otool -L ./prog > ./prog: > /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version > 36.0.0) > /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version > 1252.0.0) > > > Let me say it again: > MacOS _has_already_moved_ to LibreSSL as the default. The adoption seems to have started no later than with 10.11.4 https://eclecticlight.co/2016/03/23/the-tls-mess-in-os-x-el-capitan/ (The latest I have before this 10.13.2 is 10.6.8) Jan
LibreSSL and OpenSSL and *SSL
A simple patch to allow opusfile to build against LibreSSL https://github.com/macports/macports-ports/pull/1217 devolved into a OpenSSL/LibreSSL debate that probably belongs here instead. First things first: the newer releases of MacOS (10.13.2 here) already provide various implementations of crypto/ssl/tls, including OpenSSL, LibreSSL and (Google's) BoringSSL: hans@fitbook:~$ ls -l /usr/lib/*ssl* -rwxr-xr-x 1 root wheel 1236144 Jan 19 09:32 /usr/lib/libboringssl.dylib -rwxr-xr-x 1 root wheel 392912 Dec 1 20:39 /usr/lib/libssl.0.9.7.dylib -rwxr-xr-x 1 root wheel 630144 Dec 1 20:38 /usr/lib/libssl.0.9.8.dylib -rw-r--r-- 1 root wheel 947104 Dec 1 20:38 /usr/lib/libssl.35.dylib -rw-r--r-- 1 root wheel 890800 Dec 1 20:39 /usr/lib/libssl.43.dylib lrwxr-xr-x 1 root wheel 15 Dec 10 11:39 /usr/lib/libssl.dylib -> libssl.35.dylib hans@fitbook:~$ ls -l /usr/lib/*tls* -rwxr-xr-x 1 root wheel 287408 Dec 1 20:39 /usr/lib/libcoretls.dylib -rwxr-xr-x 1 root wheel 60464 Dec 1 20:39 /usr/lib/libcoretls_cfhelpers.dylib -rw-r--r-- 1 root wheel 159264 Dec 1 20:39 /usr/lib/libtls.15.dylib -rw-r--r-- 1 root wheel 92032 Dec 1 20:39 /usr/lib/libtls.6.dylib lrwxr-xr-x 1 root wheel 14 Dec 10 11:39 /usr/lib/libtls.dylib -> libtls.6.dylib hans@fitbook:~$ ls -l /usr/lib/*crypto* -rwxr-xr-x 1 root wheel13520 Jan 19 09:32 /usr/lib/libapple_crypto.dylib -rwxr-xr-x 1 root wheel 2023584 Dec 1 20:39 /usr/lib/libcrypto.0.9.7.dylib -rwxr-xr-x 1 root wheel 2599488 Dec 1 20:38 /usr/lib/libcrypto.0.9.8.dylib -rw-r--r-- 1 root wheel 4228016 Dec 1 20:39 /usr/lib/libcrypto.35.dylib -rw-r--r-- 1 root wheel 4274800 Dec 1 20:39 /usr/lib/libcrypto.41.dylib lrwxr-xr-x 1 root wheel 18 Dec 10 11:39 /usr/lib/libcrypto.dylib -> libcrypto.35.dylib lrwxr-xr-x 1 root wheel 54 Dec 10 11:39 /usr/lib/libk5crypto.dylib -> /System/Library/Frameworks/Kerberos.framework/Kerberos The default SSL implementation is /usr/lib/libssl.dylib -> libssl.35.dylib, the base MacOS binaries are compiled against (wait for it) LibreSSL, hans@fitbook:~$ /usr/bin/curl --version curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy and if you link with -lssl, you are using LibreSSL: hans@fitbook$ cc -o prog prog.c -lssl hans@fitbook$ otool -L ./prog ./prog: /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0) Let me say it again: MacOS _has_already_moved_ to LibreSSL as the default. (I'll reply to the comments from the original closed thread in a followup mail.) Jan
