Warning: there may be occasional oddness due to css and blog edits for theme improvements.

Sunday, October 30, 2022

LibreSSL hermit cousin

I have now been through a process of switching back and forth between LibreSSL and openssl at least a few too many times.  I really would prefer to use LibreSSL but it is very much not suited to a standard desktop system with a bunch of other things like multimedia and games installed.  The trouble is not precisely LibreSSL itself but that it is like openssl's hermit cousin, left off in the wilderness somewhere perfectly secure but not dealing much with others.

I'm sure the open source community at large and software in general would be best served if LibreSSL were widely adopted except that it is not.  If you use OpenBSD, I'm certain that LibreSSL is a first class citizen, as well as seeing the soonest updates for LibreSSL on anything OpenBSD or its users actively maintain.  Here in FreeBSD land, we are a bit more cozy with Linux and its upstream whims and therefore cannot expect LibreSSL to be noticed for what it is and can do.  We therefore should not attempt to keep LibreSSL on our personal use machines if we also use a plethora of other software because eventually something will become updated or break or lack compatibility with LibreSSL for a short time or if we're unlucky for weeks or permanently.

In our world, LibreSSL compatibility is not a huge concern, except for firewall-router platforms such as OPNsense.  It may not always be the first choice but it is a choice and with the more security and network oriented applications or plugins involved on such a platform, we can be most assured that LibreSSL will be treated properly, kept up to date with everything else, and likely the software it finds itself among will be well aware of LibreSSL.

I have had LibreSSL in my custom base install for a while, then due to updates of FreeBSD temporarily shifted to openssl, and then back to LibreSSL when I had the time to do so.  Even when I did not have it explicitly in my base install, I had it installed from ports and expected everything to use it.  My most recent difficulty is what has lead me to the bizarre (as in why did it take me so damn long) realization that I should quit attempting to use LibreSSL on my desktop machine.  For the longest moment things were working just fine, but then this always ends kinda sudden, with one more mass build via poudriere and huge pkg upgrade process which then leaves me without any of various previously installed things.

Two ports that have each become a 'lynchpin' for numerous others, and in some ways that defy my own understanding of dependency mechanisms, are rust and py-cryptography.  I understand that crypto for or related to ssl makes sense but it and rust seem to prevent many ports from building when they fail within a poudriere bulk build.  I can look at any number of the ports which are claimed to need rust or py-cryptography but they are most certainly not a first order requirement for some as expected.  Firefox has needed rust for quite a while now, so I can understand that failing but since when has Xorg or x apps themselves individually been built needing rust?  In order to battle past this seeming database confusion I now regularly pkg check -Ba to hopefully correct or alert me of issues.

I don't mean for this to be a diatribe against LibreSSL which performs its job well when used.  It is not the fault of LibreSSL that more things have not been made compatible with it, it is the shortcomings of what is largely the Linux community for not offering it as a functional drop-in where ssl is concerned.  It may be that LibreSSL works best on OpenBSD and for limited software installs such as router-firewall devices, or perhaps even a very limited desktop, but hoping for it to never fail you when having thousands of other things including games and multimedia installed is expecting too much-- and even then it is still not LibreSSL that is the actual issue.  Avoid future headaches, use openssl on your do-everything desktop but employ it for your firewall-router box, or maybe containerize all your other tools and games where they can use openssl while the host functions nicely with LibreSSL.

No comments:

Post a Comment

Thank you for your interest!

Frequently viewed this week