[OE-core] Add libreSSL to oe-core?
Randy MacLeod
randy.macleod at windriver.com
Mon May 4 18:45:25 UTC 2015
Should oe-core add libressl as an alternative to openssl and other
OE SSL/TLS implementations?
We had a request from a customer to add LibreSSL so I was wondering
about the plans of the Yocto community and indeed of the larger Linux
distro community.
Libressl claims (aims?) to be a more stable, secure TLS implementation
then OpenSSL. It was initially only for OpenBSD but it supports a
variety of platforms now:
http://www.libressl.org/releases.html
The CVE history enthusiastically summarized on Wikipedia:
https://en.wikipedia.org/wiki/LibreSSL
does indicate that libressl has been vulnerable to fewer CVEs than
openssl so far. I quickly reviewed:
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
but perhaps someone on the list has more direct experience, knowledge
and/or opinions of implementations of TLS? Note that the libressl devs
has stated that they have no interest in FIPS 140-2 certification:
http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
so that could be a problem for some users.
Other than Arch, and openSUSE Factory build, it seems that no
major linux distro has added libressl:
http://pkgs.org/search/libressl
An OE libressl recipe is not current indexed:
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
If I search more broadly:
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
I see that the OE community does have recipes for:
gnutls, nss, polarssl (now mbed TLS) and wolfssl.
So what do you think of libressl?
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
More information about the Openembedded-core
mailing list