LibreSSL Continues Marching Forward On BSD Systems
Almost six months ago OpenBSD developers forked OpenSSL into LibreSSL and since then this new SSL alternative continues to advance.
Ted Unangst of OpenBSD gave a talk this weekend in Bulgaria at EuroBSDcon 2014. For those not in attendance, Ted posted his remarks to this page entitled LibreSSL: More Than 30 Days Later.
In the time that LibreSSL has been around more than one hundred other vulnerabilities besides Heartbleed have had to be addressed. LibreSSL has been "gutting the junk" and rewriting lots of code along with adding new crypto features. The comments also cover the portability of LibreSSL and ressl coming about as the new SSL API.
Ted explained, "Joel and I have been working on a replacement API for OpenSSL, appropriately entitled ressl. Reimagined SSL is how I think of it. Our goals are consistency and simplicity. In particular, we answer the question 'What would the user like to do?' and not 'What does the TLS protocol allow the user to do?'. You can make a secure connection to a server. You can host a secure server. You can read and write some data over that connection. A few goals. First, no OpenSSL types or functions are exposed. In fact, not even any ressl internals are exposed. You should never need to contemplate X.509 or ASN.1. Those are implementation details far beyond the level of caring of most developers or users. As a consequence of that, the API is easy for other languges to bind to. The ressl interface could almost equally well describe transport over ssh tunnels. What do you want? Do you want a secure connection? We give you a secure connection."