LibreSSL or OpenSSL? Try both.

Started by franco, July 10, 2015, 01:16:10 PM

Previous topic - Next topic
Hi all,

so if you happen to run 15.7.2 or up you can actually switch from OpenSSL to LibreSSL or vice versa on a running system. All you need is a root shell and the following command. We'll add a GUI soon enough, but for everybody willing to test this is how to do it. Before proceeding take a snapshot, back up your configs just in case.

This will move your installation to LibreSSL:

# opnsense-update -n libressl

This will move your installation to OpenSSL ("latest" is a FreeBSD compatible name we adopted before adding LibreSSL):

# opnsense-update -n latest

What we'd like to see is how LibreSSL and OpenSSL still differ and if there are bugs that we can report to FreeBSD as well in that regard. We are also interested in hardware acceleration numbers for both libraries (in terms of VPN throughput) with AES-NI and so forth. We hope that this makes testing as easy as can be. :)


Cheers,
Franco

Hello,

What is the differences between LibreSSL and OpenSSL ?

One more ;

in pfSense there is one image called as memory_stick for usb installer ? Is there a any image like memory_stick installer for opnSense ?

Thank you,
SFN

LibreSSL was forked by OpenBSD developers and is trying to retain compatibility with OpenSSL, but removed unsafe APIs and put a lot of work into hardening the code base. The direct CVE count comparison between the two shows that LibreSSL was indeed safer. You can find a lot of details about why LibreSSL exists on the internet.

The only caveat might be speed, operating system support and other optimisation (hardware acceleration). Since it has become super easy we encourage everyone to try and if it works just the same I'd recommend simply sticking with LibreSSL. There is no more "what if", there is only "do".

The wiki is not exactly up to date, but shows you that the "vga" or "serial" usb installer images are what you are looking for, depending on whether you have an embedded device or a VGA port:

https://wiki.opnsense.org/index.php/Installation_and_Initial_Configuration#OpenSSL_images

What Franco is trying to say is, OpenSSL became a headache for maintainers after a sudden burst of several critical vulnerabilities . So the apparent long term fix was forking and coming up with LibreSSL . :)

why not offer just LibreSSL in the install image , with a option in the Advanced page to switch to OpenSSL???

create less confusion for newbies but still offer the versatility of either or.

July 19, 2015, 10:37:29 AM #5 Last Edit: July 19, 2015, 10:40:14 AM by franco
That's what I wanted to do for 15.7 initially, only start with OpenSSL as that is the default and changing defaults only leads to trouble. ;)

A little history. 6 months ago we started to look into LibreSSL as a replacement, but found ourselves in a situation where:

(a) LibreSSL existed as a port, but using it as a drop-in replacement for OpenSSL from ports wasn't even remotely possible due to linker errors, old code using deprecated OpenSSL APIs that LibreSSL removed and so on and so forth, and

(b) pkgng was a few major iterations behind and not capable of coping with a seamless replacement of OpenSSL/LibreSSL as a package dependences, and

(c) a mix of both even though most of the work had already been done. ;)

We've helped clean up the fallout in FreeBSD ports along with Bernard Spil (thanks!) and some other interested/involved individuals. At some point we've had help from OpenBSD developers like Stuart Henderson and Loganaden Velvindron eventually easing OPNsense and thus FreeBSD into the idea of a good adoption of LibreSSL. PCBSD joined the venture, too. FreeBSD base not yet though.

We've worked through all of the issues at least for our own packages ecosystem and come 15.7 we've had a major bug in the dependencies/package linking that prevented us from deploying a one-image-fits all approach just then. With 15.7.1 that changed, but was too late for the images for obvious reasons. In one of the next couple of stable releases, we'll have said switch in the GUI as we further improve the firmware bits and pieces.

With all these changes, it's better to let things simmer beneath the GUI for a bit until we're completely confident it can be shipped as a standard feature. It's easy to tell somebody to run a command line to try a feature and fix it with him, but a button in the GUI is a lot harder to debug and users who see the button doesn't work are simply conditioned to think we have a flaky product. It's a lot harder to get support/bug repots in this case.

All in all, we're almost there now. It's been a great adventure. :)

Quote from: lucifercipher on July 13, 2015, 07:55:49 PM
What Franco is trying to say is, OpenSSL became a headache for maintainers after a sudden burst of several critical vulnerabilities . So the apparent long term fix was forking and coming up with LibreSSL . :)
This is not wrong but also not the exact truth!

As the LibreSSL guys pointed out over and over, they did the fork prior to the Heartbleed security bug, see: [https://wiki.opnsense.org/index.php/LibreSSL LibreSSL & Heartbleed].

They always had a "fork" in their OpenBSD source repository, but that was more like what FreeBSD and others do as well and it had no name, no portable release. The release date for Heartbleed was April 7 [1]. The domain was registered on April 11, the project was announced on April 22 [2].

[1] https://en.wikipedia.org/wiki/Heartbleed
[2] https://en.wikipedia.org/wiki/LibreSSL

Poke! ;D

Now what happens when OPNsense decides to ship LibreSSL as the default? I now have OpenSSL running with the options page in the GUI set to "Default". will my system in that case automatically switch to LibreSSL or will it keep  using OpenSSL until I say otherwise? This because the "Default" will represent OpenSSL now, but after the update, LibreSSL.

(default) means whatever you first chose to install. If you install from the OpenSSL image, it's OpenSSL. If you switch to LibreSSL it is going to be LibreSSL. I don't think OpenSSL is going away soon, although I do think that LibreSSL is a viable replacement.

There is an idiosyncrasy regarding the opnsense package which can work with either LibreSSL or OpenSSL because the dependency is hidden, which makes (default) point to OpenSSL even when LibreSSL was installed, but that is rectified by upgrading to the next opnsense package with a release or by reinstalling said packages (support for this will hit the GUI soon).

cool. are openSSL and libreSSL compatible at the moment? i mean, if change now, do i have to reconfigure some other settings as well?

No changes necessary from the user side. Just flip the switch in the settings, then on to firmware page and check for updates, update and reboot. Done. Just as easy to go back.

Quote from: franco on July 12, 2015, 05:55:55 PM
LibreSSL was forked by OpenBSD developers and is trying to retain compatibility with OpenSSL, but removed unsafe APIs and put a lot of work into hardening the code base. The direct CVE count comparison between the two shows that LibreSSL was indeed safer. You can find a lot of details about why LibreSSL exists on the internet.

The only caveat might be speed, operating system support and other optimisation (hardware acceleration). Since it has become super easy we encourage everyone to try and if it works just the same I'd recommend simply sticking with LibreSSL. There is no more "what if", there is only "do".

The wiki is not exactly up to date, but shows you that the "vga" or "serial" usb installer images are what you are looking for, depending on whether you have an embedded device or a VGA port:

https://wiki.opnsense.org/index.php/Installation_and_Initial_Configuration#OpenSSL_images

Do you still believe this, with the onset of openssl only images in .11?

We have added the choice for the ssl flavor in the system itself "Firmware Flavour" in general settings, which removed the need to build a lot of extra install images (which takes a lot of regression time).

It's just a matter of preference, some like LibreSSL more others like OpenSSL more, we do intent to keep supporting both (and build packages for both of them).

Yup, OpenSSL is the default, but you can simply change it and run a firmware upgrade to apply. Saves us hours of testing image integrity. I don't mind the duplicated package effort for OpenSSL/LibreSSL, but for images it's too much of valuable time better spent elsewhere.