OpenBSD forks, prunes, fixes OpenSSL

OpenBSD forks, prunes, fixes OpenSSL

Summary: In the wake of Heartbleed, a well-known open source development group is creating a simpler, cleaner version of the dominant OpenSSL.

TOPICS: Security

Members of the OpenBSD project, already known for the OpenBSD operating system and related projects such as OpenSSH, OpenBGPD, OpenNTPD, OpenSMTPD, are creating a fork of the OpenSSL project, likely to be called LibreSSL. (OpenSSL and OpenBSD are completely separate projects with different people working on them.)

OpenSSL is the dominant SSL/TLS library on the Internet, but has suffered significant reputation damage in recent days for the Heartbleed bug. The incident has revived criticism of OpenSSL as a poorly-run project with source code that is impenetrable and documented, where it is at all documented, badly and inaccurately.

The main effort of the LibreSSL project is to remove the very large portion of the code that serves purposes that are either of very limited interest or which were scheduled by OpenSSL for removal but never actually removed.

Theo de Raadt, founder and leader of the OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. de Raadt: "Some of that is indentation, because we are trying to make the code more comprehensible. 99.99% of the community does not care for VMS support, and 98% do not care for Windows support. They care for POSIX support, so that the Unix and Unix derivatives can run. They don't care for FIPS. Code must be simple. Even after all those changes, the codebase is still API compatible. Our entire ports tree (8700 applications) continue to compile and work, after all these changes."

A blog site called "OpenSSL Valhalla Rampage" that is following the project, is not run by the project. de Raadt says he doesn't know who is running it and that the actual LibreSSL team has been too busy to put up a web site.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OpenSSL cut in half

    Assuming all those numbers are correct and there's about 430,000 lines of code in OpenSSL they have removed about 55% of the code. Kinda pathetic.
    • Fewer features = fewer bugs

      Hey, the less code you have, the less likely it is to break, right? I plan to release NoSSL: a package with absolutely ZERO lines of code, GUARANTEED to be bug free!

      More seriously, though... I don't believe these events warrant the panicked migration away from OpenSSL that they have triggered. However, we will undoubtedly have lots of ignorant users and C-level execs say "better safe than sorry", and switch to some closed-source, un-proven, proprietary SSL implementation (i.e. they'll actually make themselves, on average, less secure).
      • more complicated than that

        First, the major real-world alternative right now for SSL/TLS is Windows Crypto and there's no reason to believe that Windows users are less secure in that regard.

        But the real point is that if there's a flight from OpenSSL it will be to another open source project like this one. Too many users get their OpenSSL from their Linux distro or a similar source. A closed library won't even get considered.
        Larry Seltzer
  • Squeaky wheel

    I was under the impression that OpenSSL was part of OpenBSD (I guess I was mistaken). It seems to me that a trimmed down, properly documented, and properly vetted library (the first two contribute to the third) would be good for everybody.

    Look for a highly embarrassed OpenSSL team to follow LibreSSL's example.
    John L. Ries
    • I think you were thinking of ...

      George Mitchell
      • Probably

        Clearly, I was confused; and I apologize to anyone I might have misled.
        John L. Ries
  • "scheduled by OpenSSL for removal but never actually removed."

    - the inherent problem with trying to keep up with Microsoft and their 'paid' code writers is that there is never enough time, nor resources, to do the janitorial work. Removing 55% of the code and not affecting the system is evidence of the amount of bloat that has accumulated as a result of a lack of participation within the community. Someone needs to do the 'dirty work'; however, being that there is no Glory in doing so and thus no polish for the ego, it is not likely to get done.

    Once again, those whom slave over the "Code" get abandoned by the Freeloaders that believe "Evangelisation" is payment enough!

    This is the code that never ends it goes on and on my friend some people started coding it not knowing what to do and they'll continue coding it forever just because...
    • You misunderstand. Or can't read.

      They removed the WINDOWS support and the VMS support.

      Shows where the bloat really was - neither system is POSIX.
      • Missed that

        I don't know about VMS any more (been a long time since I used it), but there used to be an optional POSIX subsystem for it; and Windows has Cytwin and UWin.
        John L. Ries
        • Ack! another typo

          John L. Ries
        • Windows POSIX

          Windows' POSIX subsystem was removed for Windows XP/2003.
          • Didn't say otherwise

            Cygwin still works.
            John L. Ries
          • The bloat was caused by going directly to the Win32

            interface. I think (not certain) the VMS interface would be closely related with a good bit of overlap.
  • Open source projects can be poorly managed ...

    The openssl project has obviously been poorly managed. In the case of open source (gpl) software, financial contributors have to support code contributors. And code contributors who allow feature creep to the point that they can no longer attract enough financial support to maintain those features are guilty of poor management. This has doomed a number of open source projects through the years. Features that are not financially viable should not be introduced in the first place and should be removed if they have been introduced in the past. In the case of utility like openssl, every line of code carries with it the potential for vulnerabilities. In the past there have been many complaints about Windows being "spaghetti code" and now we discover that the openssl team has likely committed just this sin. Simple code is safe code. Added complexity brings added risk. It is extremely commendable that third parties are finally taking a look at this codebase and attempting to clean it up. I am sure they will attract financial support as they offer a cleaner and more secure product. Hats off to the Open BSD project for undertaking this effort. The result will likely make its way back into Linux in no time and could very well form a formidable competitor to openssl. Even in the open source world, competition is good.
    George Mitchell
    • Minor correction

      OpenSSL is distributed under a BSD-style license, rather than the GPL; but feature creep can strike anywhere.
      John L. Ries
      • Thanks John!

        You are correct, almost, actually its dual licensed BSD and Apache variants, but not GPL for sure. In fact, special steps are taken in Linux for this reason in order to accommodate its use. In any case I suspect we will all benefit from it if Open BSD takes over stewardship of it.
        George Mitchell
  • Open BSD has a truly legendary security reputation ...

    From Wikipedia:

    "OpenBSD includes a number of security features absent or optional in other operating systems, and has a tradition in which developers audit the source code for software bugs and security problems."

    From this perspective one might suspect that libressl could easily become the industry standard on the BSD/Linux side of the server business in no time. Even on the Linux desktop side I for one will be watching for it and will switch in an instant if given the opportunity.
    George Mitchell
    • For more information, one can visit OpenBSD's web site

      Of relevance are the "Audit Process" and "Advisories" sections. The OpenBSD project has been auditing its code since 1996 with a group of 6 to 12 developers. This is not "many eyes". It's a competent, highly-focused team.
      Rabid Howler Monkey
      • Well yes ...

        But it is "many eyes" in addition to a "competent, highly focused team". And I would certainly not dispute your point that the "highly focused team" is far more adept at doing the job than the "many eyes", but the two together are about as airtight as one can get which should be the gold standard for critical software like this. As it was, OpenSSL in retrospect was an accident waiting to happen. Only now are we getting a clear picture of how decrepit the code actually was.
        George Mitchell
        • "OpenSSL in retrospect was an accident waiting to happen"

          What's funny about this, and I don't disagree, is a March 6, 2014, article from SJVN on the latest GnuTLS vulnerability for GNU/Linux:

          "To sum up, no one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL."

          Interesting that GnuTLS added support for TLS Heartbeat in September, 2012, but I don't know if its implementation was ever vulnerable.

          P.S. I agree that open source is an asset from a security perspective when "many eyes" include individuals that are competent and these individuals actually look at (or otherwise test) the code.
          Rabid Howler Monkey