openSSL or libreSSL?

I am not trying to start a Flame War and definitely not trolling, just asking a genuine security question.

I read an article which mentioned LibreSSL. Not knowing much, if anything about it, I did some research.

Way back when, ssl and ssh were OpenBSD packages, most emerging Linux distributions adopted them as openssl and openssh. Why re-invent the wheel when there was a perfectly good open source solution. Then in 2012 the Heartbleed problem came along.

From what I understand at that point OpenBSD wanted to go in a certain direction while most Linux distros just wanted to patch things. OpenBSD knew it would be hard to get everyone on the same page so they forked their own package to a new one named LibreSSL. OpenSSH is still maintained by OpenBSD.

I started using Unix in 1974 or 1975 on the job working for AT&T. So I’ve been involved with computers quite a long time. During that time, OpenBSD was considered the OS with the best security. Since SSL (secure socket layer) is what provides encryption when using https, this is an important part of a secure OS. This begs questions which my research did not answer.

  • I assume openssl and libressl are now developed separately, if so how much interaction is there between the two parties?
  • If they are now developed separately, how far apart, if any, are openSSL and libreSSL security wise?
  • For an OS primarily developed for personal use in a secure location (your home), if there are differences are the differences enough to worry about?
  • Should EndeavorOS consider offering libressl as an option, or is it not worth the development time?

As far as I know, Void Linux is the only Linux distribution using LibreSSL out of the box. So if all the rest of the distros are using openssl, there must not be much of a problem, if any. So this is probably making a mountain out of a mole hill…but maybe not.

Anyone with more knowledge on this?

https://www.libressl.org/ < > https://www.openssl.org/

We will not do that, as we do follow Archlinux in that caseand we do not want Develop a separate Fork of Archlinux.

The package at Archlinux (AUR) is so called: FREE version of the SSL/TLS protocol forked from OpenSSL -

EXPRIMENTAL ONLY

1m

Good post.
Void, an interesting distro created by former NetBSD developer (J.R. Pardines).
Nice article on the Gentoo wiki pages:

https://wiki.gentoo.org/wiki/Project:LibreSSL

1 Like