On 10/29/2017 09:46, bf wrote:> On 10/29/17, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>> --------
>> In message <df46aaa5-13a9-2fc6-bcd2-d57d792800eb at
metricspace.net>, Eric
>> McCorkl
>> e writes:
>>> On 10/28/2017 09:15, Poul-Henning Kamp wrote:
>>>> --------
>>>> In message <20171028123132.GF96685 at kduck.kaduk.org>,
Benjamin Kaduk
>>>> writes:
>>>>
>>>>> I would say that the 1.1.x series is less bad, especially
on the last
>>>>> count,
>>>>> but don't know how much you've looked at the
differences in the new
>>>>> branch.
>>>>
>>>> While "less bad" is certainly a laudable goal for
OpenSSL, I hope
>>>> FreeBSD has higher ambitions.
>>>>
>>>
>>> I'm curious about your thoughts on LibreSSL as a possible
option.
>>
>> It retains the horrible APIs, so the potential improvement is finite.
>>
>
> OpenBSD started the task of making OpenSSL easier to use by adding
> things like libtls
>
> (see https://man.openbsd.org/tls_init )
>
> on top of their backwards-compatible libssl. There are similar
> efforts in other libraries like NaCl and its forks, such as libsodium
> ( cf. https://nacl.cr.yp.to/features.html and
> https://www.gitbook.com/book/jedisct1/libsodium/details ). Are these
> the kind of changes you are suggesting?
I know the LibreSSL roadmap includes more plans to improve the API
design to make it more usable.
Overall, I think LibreSSL is the best option, though there needs to be
some investigation into how easily it can be used for kernel and
boot-loader purposes. Things like libsodium are too narrow in their
focus, and BearSSL is too new.
Plus the fact that LibreSSL originates from one of the BSDs and has its
backing is a significant advantage, I think.