Date: Sun, 29 Oct 2017 17:15:14 +0000 From: Ben Laurie <ben@links.org> To: Eric McCorkle <eric@metricspace.net> Cc: Benjamin Kaduk <bjk@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, bf1783@gmail.com Subject: Re: Crypto overhaul Message-ID: <CAG5KPzx4brki=sAbtwxqs_%2BBPj5BvgPWv=NTyZezccrE6tP5QQ@mail.gmail.com> In-Reply-To: <61210249-105c-974c-1dae-1837e5969054@metricspace.net> References: <dc08792a-3215-611c-eb9f-4936a0d621f9@metricspace.net> <CAG5KPzws=jmF2wLeEAz8Lzn7Ugude=0w5neoQjeDjYnGtJpS9Q@mail.gmail.com> <13959.1509132270@critter.freebsd.dk> <CAG5KPzxGtAwV-svCv24FbZtLvxKCwX7OSyb2pPaTc63EUmFFGA@mail.gmail.com> <20171028022557.GE96685@kduck.kaduk.org> <23376.1509177812@critter.freebsd.dk> <20171028123132.GF96685@kduck.kaduk.org> <24228.1509196559@critter.freebsd.dk> <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net> <28039.1509260726@critter.freebsd.dk> <CAGFTUwNzRiz4ifuPr6RWemPUAnZv-bMDaLag5HXgUxhw0-Hs4g@mail.gmail.com> <61210249-105c-974c-1dae-1837e5969054@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 October 2017 at 15:17, Eric McCorkle <eric@metricspace.net> wrote: > On 10/29/2017 09:46, bf wrote: >> On 10/29/17, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >>> -------- >>> In message <df46aaa5-13a9-2fc6-bcd2-d57d792800eb@metricspace.net>, Eric >>> McCorkl >>> e writes: >>>> On 10/28/2017 09:15, Poul-Henning Kamp wrote: >>>>> -------- >>>>> In message <20171028123132.GF96685@kduck.kaduk.org>, Benjamin Kaduk >>>>> writes: >>>>> >>>>>> I would say that the 1.1.x series is less bad, especially on the last >>>>>> count, >>>>>> but don't know how much you've looked at the differences in the new >>>>>> branch. >>>>> >>>>> While "less bad" is certainly a laudable goal for OpenSSL, I hope >>>>> FreeBSD has higher ambitions. >>>>> >>>> >>>> I'm curious about your thoughts on LibreSSL as a possible option. >>> >>> It retains the horrible APIs, so the potential improvement is finite. >>> >> >> OpenBSD started the task of making OpenSSL easier to use by adding >> things like libtls >> >> (see https://man.openbsd.org/tls_init ) >> >> on top of their backwards-compatible libssl. There are similar >> efforts in other libraries like NaCl and its forks, such as libsodium >> ( cf. https://nacl.cr.yp.to/features.html and >> https://www.gitbook.com/book/jedisct1/libsodium/details ). Are these >> the kind of changes you are suggesting? > > I know the LibreSSL roadmap includes more plans to improve the API > design to make it more usable. > > Overall, I think LibreSSL is the best option, though there needs to be > some investigation into how easily it can be used for kernel and > boot-loader purposes. Things like libsodium are too narrow in their > focus, and BearSSL is too new. > > Plus the fact that LibreSSL originates from one of the BSDs and has its > backing is a significant advantage, I think. Mostly it originates from OpenSSL. :-) _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG5KPzx4brki=sAbtwxqs_%2BBPj5BvgPWv=NTyZezccrE6tP5QQ>