OpenBSD 5.6 Replaces OpenSSL with LibreSSL

The new SSL/TLS library was built as a response to post-Heartbleed dissatisfaction with OpenSSL. Whether it's as true a plug-in replacement as it claims to be is yet to be determined.
Written by Larry Seltzer, Contributor

The newest version of the OpenBSD operating system, version 5.6, replaces the ubiquitous OpenSSL library with LibreSSL, a fork of OpenSSL created by the OpenBSD team.

OpenSSL remains the dominant code base for SSL/TLS secure communications, rivaled only by Microsoft's CryptoAPI for Windows. But OpenSSL took a big credibility hit early this year with the revelation of the Heartbleed bug, a severe bug which exposed lax development and testing procedures in the OpenSSL project.

In fact, OpenSSL did not have a good reputation for code quality and usability by developers, but the issue gained no urgency until Heartbleed made it well-known.

To address these problems the OpenBSD project, most famous for the OpenBSD operating system and OpenSSH secure shell, create a fork of the OpenSSL code and called the project LibreSSL. LibreSSL has several goals, including API compatibility with OpenSSL and simplification through the removal of features considered off-mission.

The OpenBSD 5.6 announcement of LibreSSL is dominated by a long list of features not supported, such as:

  • FIPS-140 compliance
  • Support for MacOS, Netware, OS/2, VMS and Windows platforms, as well as "antique" compilers
  • Use of many algorithms, such as MD2, SSLv2, Kerberos, TLS compression and ANSSI elliptic curves
  • The "questionable" DTLS heartbeat extension (the source of Heartbleed)

OpenBSD use is well-behind that of Linux and commercial UNIX implementations, but the LibreSSL project can live on its own in Linux systems and may become popular if it can be demonstrated that it is compatible and works well.

Related Coverage:

Editorial standards