Date: Sun, 29 Oct 2017 11:17:58 -0400 From: Eric McCorkle <eric@metricspace.net> To: bf1783@gmail.com, Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: Benjamin Kaduk <bjk@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, Ben Laurie <ben@links.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org> Subject: Re: Crypto overhaul Message-ID: <61210249-105c-974c-1dae-1837e5969054@metricspace.net> In-Reply-To: <CAGFTUwNzRiz4ifuPr6RWemPUAnZv-bMDaLag5HXgUxhw0-Hs4g@mail.gmail.com> References: <dc08792a-3215-611c-eb9f-4936a0d621f9@metricspace.net> <CAG5KPzws=jmF2wLeEAz8Lzn7Ugude=0w5neoQjeDjYnGtJpS9Q@mail.gmail.com> <13959.1509132270@critter.freebsd.dk> <CAG5KPzxGtAwV-svCv24FbZtLvxKCwX7OSyb2pPaTc63EUmFFGA@mail.gmail.com> <20171028022557.GE96685@kduck.kaduk.org> <23376.1509177812@critter.freebsd.dk> <20171028123132.GF96685@kduck.kaduk.org> <24228.1509196559@critter.freebsd.dk> <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net> <28039.1509260726@critter.freebsd.dk> <CAGFTUwNzRiz4ifuPr6RWemPUAnZv-bMDaLag5HXgUxhw0-Hs4g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/29/2017 09:46, bf wrote: > On 10/29/17, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> -------- >> In message <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net>, Eric >> McCorkl >> e writes: >>> On 10/28/2017 09:15, Poul-Henning Kamp wrote: >>>> -------- >>>> In message <20171028123132.GF96685@kduck.kaduk.org>, Benjamin Kaduk >>>> writes: >>>> >>>>> I would say that the 1.1.x series is less bad, especially on the last >>>>> count, >>>>> but don't know how much you've looked at the differences in the new >>>>> branch. >>>> >>>> While "less bad" is certainly a laudable goal for OpenSSL, I hope >>>> FreeBSD has higher ambitions. >>>> >>> >>> I'm curious about your thoughts on LibreSSL as a possible option. >> >> It retains the horrible APIs, so the potential improvement is finite. >> > > OpenBSD started the task of making OpenSSL easier to use by adding > things like libtls > > (see https://man.openbsd.org/tls_init ) > > on top of their backwards-compatible libssl. There are similar > efforts in other libraries like NaCl and its forks, such as libsodium > ( cf. https://nacl.cr.yp.to/features.html and > https://www.gitbook.com/book/jedisct1/libsodium/details ). Are these > the kind of changes you are suggesting? I know the LibreSSL roadmap includes more plans to improve the API design to make it more usable. Overall, I think LibreSSL is the best option, though there needs to be some investigation into how easily it can be used for kernel and boot-loader purposes. Things like libsodium are too narrow in their focus, and BearSSL is too new. Plus the fact that LibreSSL originates from one of the BSDs and has its backing is a significant advantage, I think.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61210249-105c-974c-1dae-1837e5969054>