X
Tech

OpenBSD forks, prunes, fixes OpenSSL

In the wake of Heartbleed, a well-known open source development group is creating a simpler, cleaner version of the dominant OpenSSL.
Written by Larry Seltzer, Contributor

Members of the OpenBSD project, already known for the OpenBSD operating system and related projects such as OpenSSH, OpenBGPD, OpenNTPD, OpenSMTPD, are creating a fork of the OpenSSL project, likely to be called LibreSSL. (OpenSSL and OpenBSD are completely separate projects with different people working on them.)

OpenSSL is the dominant SSL/TLS library on the Internet, but has suffered significant reputation damage in recent days for the Heartbleed bug. The incident has revived criticism of OpenSSL as a poorly-run project with source code that is impenetrable and documented, where it is at all documented, badly and inaccurately.

The main effort of the LibreSSL project is to remove the very large portion of the code that serves purposes that are either of very limited interest or which were scheduled by OpenSSL for removal but never actually removed.

Theo de Raadt, founder and leader of the OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. de Raadt: "Some of that is indentation, because we are trying to make the code more comprehensible. 99.99% of the community does not care for VMS support, and 98% do not care for Windows support. They care for POSIX support, so that the Unix and Unix derivatives can run. They don't care for FIPS. Code must be simple. Even after all those changes, the codebase is still API compatible. Our entire ports tree (8700 applications) continue to compile and work, after all these changes."

A blog site called "OpenSSL Valhalla Rampage" that is following the project, is not run by the project. de Raadt says he doesn't know who is running it and that the actual LibreSSL team has been too busy to put up a web site.

Editorial standards