On Fri, 2022-01-28 at 21:18 +0000, Stuart Henderson wrote: > On 2022-01-28, Laura Smith <[email protected]> wrote: > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > On Friday, January 28th, 2022 at 14:43, dansk puffer > > <[email protected]> wrote: > > > > > Are there any major security differences between libressl and openssl > > > nowadays? From what I read the situation for openssl improved and some > > > Linux distros switched back to openssl again with mostly? OpenBSD > > > remaining to use libressl. > > > > For me at least, my main beef with Libressl is that it has seemingly mostly > > achieved its security posture by removing functions. > > > > Unfortunatley the functions removed are not obscure ones, but more common > > ones such as, IIRC, various very useful certificate and PKCS11 related > > functions. > > I think you'll need to back that up with some examples. Lots of code has > been removed but much of that is not API-affecting. In particular *common* > ones are not removed. > > Almost nothing in the ports tree uses OpenSSL. The exceptions > are nsca-ng (PSK was removed; almost nothing uses that), > opensmtpd-filter-dkimsign (libressl doesn't have all of the ed25519 api > from newer openssl yet), > To be more precise, this only goes for the -ed25519 flavor. The main flavor is compiled with libressl. For most people, ed25519 dkim signatures aren't even interesting yet, since most verifiers out there (including the major players last time I checked) don't even support it yet.
> sslscan (uses a special build with some > outdated protocols enabled so that it can scan a server to see what it's > using), and libretls (implementation of the libtls API against OpenSSL > backend, used for testing portable versions of some OpenBSD software). > That's all. > > There are some functions from OpenSSL 1.1+ API that haven't been added > to LibreSSL yet, though these days many of the ones which are _actually_ > used by various software have been added. > > (Besides, not adding new functions that were added to OpenSSL after > LibreSSL was forked is not the same thing as removing functions.) > >
