Contents How to use LibreSSL Problems you'll run into Ports Base LibreSSL versions Known problems/quirks History Ports Types of Failures LibreSSL (and OpenSSL) Security Vulnerabilities Links LibreSSL is a fork of OpenSSL created by OpenBSD.There is also a portable version which is available in the ports tree: security/libressl.LibreSSL has removed a number of OpenSSL features which can result in build issues for software that relies on them.LibreSSL also has functionality that is not available in other ssl libraries on FreeBSD Much of the detail in the original article has now been split into multiple sub-pages You can use LibreSSL with all of your ports, or to replace OpenSSL in base.After switching the OpenSSL provider you MUST rebuild all ports.After switching this will most likely hit you with cURL GSS-API: If you need this you must select one of the ports implementations, you cannot combine ports Open-/LibreSSL with base GSS-API Secure Remote Password (TLS-SRP): Must be disabled Using LibreSSL in stead of OpenSSL has been integrated in the FreeBSD ports framework.

Simply set one of the following in your /etc/make.conf (or corresponding make.conf for poudriere) For the current stable branch For the current next branch after setting this, rebuild all your ports.The standard packages from FreeBSD are still being built with OpenSSL from base and for some packages requiring a newer OpenSSL with OpenSSL from ports.The following FreeBSD derivatives are known to use LibreSSL PC-BSD by default since PC-BSD 10.1.21 OPNsense available since OPNsense 15.72 There are several ways to get a base system without OpenSSL, currently only from source, but soon using binary distributions as well!The files and an svn-diff can be found on LibreBSD.You can use the files as an overlay to the /usr/src directory or apply the patch-set.The 11-stable patches are being maintained, the 10-stable patch is no longer maintained (as of 11.0-RC1).You will have to add the LibreSSL sources yourself.The procedure is documented in the Github Repo so we'll not repeat that here.Currently there are no binary distributions for LibreSSL-in-base but this is to change with the release of FreeBSD 11.

There's a complete repo for 10.3 from Attila Györffy containing a working version.There's a HardenedBSD repo containing sources for 10-stable which adds a lot of additional security features.There's a HardenedBSD repo for 11-stable (11.0-RC1) containing LibreSSL and the additional HardenedBSD security features.The repo for the upgoming TrueOS 11 release which includes LibreSSL and is great for desktops and laptops.The OpenBSD project has multiple branches of LibreSSL.This chapter describes how the upstream project and the FreeBSD ports correlate.Stable corresponds to security/libressl Upcoming corresponds to security/libressl-devel During the release cycle of OpenBSD, there are times when there's no "Upcoming" version.At these times, the security/libressl and security/libressl-devel ports will be the same version.To stay in line with the upstream OpenBSD project, the ports tree will (as of version 2.2/2.3) contain the stable version and the next/snapshot version for early adopters.

Date stable devel 2015-11-01 2.2 2.3 2016-05-01 2.3 2.4 As OpenBSD releases their next version of LibreSSL-Portable, the libressl-devel port will link to that next-stable version and you must rebuild all your ports.bitcoin environmental impactsecurity/p5-openxpi: Claimed to not be fully functional by the developers security/py-cryptography: Claimed to not be fully functional by the developers When you build world when you have LibreSSL installed, some base utilities will link to LibreSSL.why bitcoin difficulty increaseThese you will have to update every time there are shared library versions are bumped Version Release days libssl/crypto/tls LibreSSL 2.0 branch (OpenBSD 5.6) 2.0.0 12 Jul 2014 1 27/30/- 2.0.1 13 Jul 2014 3 27/30/- 2.0.2 16 Jul 2014 6 27/30/- 2.0.3 22 Jul 2014 12 27/30/- 2.0.4 03 Aug 2014 14 27/30/- 2.0.5 17 Aug 2014 57 27/30/- LibreSSL 2.1 (OpenBSD 5.7) 2.1.0 13 Oct 2014 4 27/30/- 2.1.1 17 Oct 2014 60 29/30/- 2.1.2 16 Dec 2014 37 29/30/- 2.1.3 22 Jan 2015 40 30/30/- 2.1.4 04 Mar 2015 41 32/32/- 2.1.5 17 Mar 2015 13 32/32/3 2.1.6 19 Mar 2015 2 32/32/3 2.1.7 11 Jun 2015 84 32/32/3 2.1.8 15 Oct 2015 126 32/32/3 2.1.9 08 Dec 2015 54 32/32/3 LibreSSL 2.2 (OpenBSD 5.8) 2.2.0 11 Jun 2015 84 32/33/3 2.2.1 08 Jul 2015 27 33/34/4 2.2.2 06 Aug 2015 29 35/35/6 2.2.3 29 Aug 2015 23 35/35/6 2.2.4 15 Oct 2015 47 35/35/6 2.2.5 08 Dec 2015 54 35/35/6 2.2.6 28 Jan 2016 86 35/35/6 LibreSSL 2.3 (OpenBSD 5.9) 2.3.0 23 Sep 2015 29 36/37/9 2.3.1 03 Nov 2015 41 36/37/9 2.3.2 28 Jan 2016 86 37/38/10 2.3.3 23 Mar 2016 55 37/38/10 2.3.4 03 May 2016 37/38/10 2.3.5 30 May 2016 37/38/10 2.3.6 06 Jun 2016 37/38/10 LibreSSL 2.4 (OpenBSD 6.0) 2.4.0 30 May 2016 38/39/11 2.4.1 06 Jun 2016 7 38/39/1 The detailed version history was moved to the LibreSSL history sub-page Detailed information on specific ports can now be found in the sub-page The first build of all ports with LibreSSL for PC-BSD revealed 81 ports which require patching to work properly.kiem bitcoin 2014

The build of all ports with LibreSSL 2.3, which has removed SSLv3, revealed 92 ports which require patching to work.This has been captured in the OpenSSL section as this fallout is considered equal to the fallout of building all ports with OpenSSL with SSLv3 disabled (security_openssl_UNSET=SSL3 / --no-ssl3).bitcoin apk hackNote: Counts are not up-to-date Problem Description Count PRs Unsolved Open Closed EGD uses RAND_egd methods that no longer exist in LibreSSL 38 12 16 0 DES Uses deprecated des_ methods (replaced by DES_ methods) 29 4 15 0 SSLv2 Uses SSLv2 methods that no longer exist in LibreSSL 7 2 3 0 COMP Wants SSL compression 10 7 4 1 arc4rand conflict in FreeBSD/LibreSSL libs 4 0 0 4 CMS Uses deprecated S/MIME methods 3 0 3 0 GOST Uses removed GOST methods 2 0 0 2 PSK Uses PSK methods 4 1 0 2 SSLv3 Uses SSLv3 methods that no longer exist in LibreSSL 2.3 85 10 0 5 SHA-0 Uses SHA-0 methods 8 0 0 4 Other Other issues 25 2 13 8 TOTAL 204 30 51 33 The net-p2p/bitcoin and other virtual currency applications will/can not be fixed, they require bug-compatible OpenSSL libaries.ethereum chart 2014