词条 | LibreSSL |
释义 |
| name = LibreSSL | logo = LibreSSL logo.png | logo size = | logo alt = | logo caption = Puffy, the mascot of OpenBSD, made to resemble King Ferdinand[1] | screenshot = | screenshot alt = | caption = | collapsible = | author = The OpenSSL Project | developer = The OpenBSD Project | released = 2.0.0 / {{Start date and age|df=yes|2014|07|11}} | discontinued = | programming language = C, assembly, Perl | operating system = OpenBSD, FreeBSD, NetBSD, Linux, HP-UX, Solaris, macOS, Windows and others[2] | platform = | size = | language = | language count = | language footnote = | genre = Cryptography library | license = Apache License 1.0, 4-clause BSD license, ISC license, public domain | alexa = | standard = | AsOf = }}LibreSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. The implementation is named after Secure Sockets Layer (SSL), the deprecated predecessor of TLS, for which support was removed in release 2.3.0. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability,[3][4][5][6] with the goals of modernizing the codebase, improving security, and applying development best practices.[7][8][9] HistoryAfter the Heartbleed security vulnerability was discovered in OpenSSL, the OpenBSD team audited the codebase and decided it was necessary to fork OpenSSL to remove dangerous code.[3] The libressl.org domain was registered on 11 April 2014; the project announced the name on 22 April 2014. In the first week of development, more than 90,000 lines of C code were removed.[8][10] Unused code was removed, and support for obsolete operating systems was removed. LibreSSL was initially developed as an intended replacement for OpenSSL in OpenBSD 5.6, and was ported to other platforms once a stripped-down version of the library was stable.[11][12] {{As of|2014|04}}, the project was seeking a "stable commitment" of external funding.[10] On 17 May 2014, Bob Beck presented "LibreSSL: The First 30 Days, and What The Future Holds" during the 2014 BSDCan conference, in which he described the progress made in the first month.[13] On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance,[14] LibreSSL was not; Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.[15] On 20 June 2014, Google created another fork of OpenSSL called BoringSSL, and promised to exchange fixes with LibreSSL.[16][17] Google has already relicensed some of its contributions under the ISC license, as it was requested by the LibreSSL developers.[16][18] On 21 June 2014, Theo de Raadt welcomed BoringSSL and outlined the plans for LibreSSL-portable.[19] Starting on 8 July, code porting for macOS and Solaris began,[20] while the initial porting to Linux began on 20 June.[21] AdoptionLibreSSL is the default provider of TLS for:
LibreSSL is a selectable provider of TLS for:
ChangesMemory-relatedChanges include replacement of custom memory calls to ones in a standard library (for example, Fixes for potential double free scenarios have also been cited in the VCS commit logs (including explicit assignments of null pointer values).[32] There have been extra sanity checks also cited in the commit logs related to ensuring length arguments, unsigned-to-signed variable assignments, pointer values, and method returns. Proactive measuresIn order to maintain good programming practice, a number of compiler options and flags designed for safety have been enabled by default to help in spotting potential issues so they can be fixed earlier (-Wall, -Werror, -Wextra, -Wuninitialized). There have also been code readability updates which help future contributors in verifying program correctness (KNF, white-space, line-wrapping, etc.). Modification or removal of unneeded method wrappers and macros also help with code readability and auditing (Error and I/O abstraction library references). Changes were made to ensure that LibreSSL will be year 2038 compatible along with maintaining portability for other similar platforms. In addition, CryptographicThere were changes to help ensure proper seeding of random number generator-based methods via replacements of insecure seeding practices (taking advantage of features offered by the kernel itself natively).[33][34] In terms of notable additions made, OpenBSD has added support for newer and more reputable algorithms (ChaCha stream cipher and Poly1305 message authentication code) along with a safer set of elliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength). Added featuresThe initial release of LibreSSL added a number of features: the ChaCha and Poly1305 algorithm, the [https://tools.ietf.org/html/rfc7027 Brainpool] and ANSSI elliptic curves, and the AES-GCM and ChaCha20-Poly1305 AEAD modes. Later versions added the following:[40]
Old insecure featuresThe initial release of LibreSSL disabled a number of features by default.[27] Some of the code for these features was later removed, including Kerberos, US-Export ciphers, TLS compression, DTLS heartbeat, SSL v2 and SSL v3. Later versions disabled more features:
Code removalThe initial release of LibreSSL has removed a number of features that were deemed insecure, unnecessary or deprecated as part of OpenBSD 5.6.[46]
The Dual EC DRBG algorithm, which is suspected of having a back door,[49] was cut along with support for the FIPS 140-2 standard that required it. Unused protocols and insecure algorithms have also been removed, including the support for FIPS 140-2,[50] MD4/MD5[45] J-PAKE,[46] and SRP.[51] Bug backlogOne of the complaints of OpenSSL was the number of open bugs reported in the bug tracker that had gone unfixed for years. Older bugs are now being fixed in LibreSSL.[52] See also{{Portal|Cryptography|Free Software}}
References1. ^{{cite web|url=https://www.youtube.com/watch?v=Yg3iPoZzt2Q&t=97|title=LibreSSL, almost Two Years Later - Brent Cook|first=|last=InfoSec Southwest|date=2 May 2017|accessdate=15 September 2018|publisher=YouTube}} 2. ^{{cite web|title=LibreSSL Releases|url=http://www.libressl.org/releases.html}} 3. ^1 {{cite web |url=http://www.tedunangst.com/flak/post/origins-of-libressl |title=Origins of libressl |first=Ted |last=Unangst |work=flak |date=22 April 2014 |accessdate=24 April 2014}} 4. ^{{cite web |url=http://www.eweek.com/security/after-heartbleed-openssl-is-forked-into-libressl.html |title=After Heartbleed, OpenSSL Is Forked Into LibreSSL|first=Sean Michael |last=Kemer |work=eWeek |date=22 April 2014 |accessdate=24 April 2014}} 5. ^{{cite web|title=Not Just a Cleanup Any More: LibreSSL Project Announced|url=http://it.slashdot.org/story/14/04/22/1240247/not-just-a-cleanup-any-more-libressl-project-announced|publisher=Slashdot|accessdate=24 April 2014|date=22 April 2014}} 6. ^{{cite web | url=http://it.slashdot.org/story/14/05/17/2250242/30-day-status-update-on-libressl | title=30-Day Status Update On LibreSSL | last=M | first=Constantine | editor=Soulskill | date= 17 May 2014 | publisher=Slashdot }} 7. ^{{cite web|title=LibreSSL|url=http://www.libressl.org}} 8. ^1 {{cite web |url=http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/ |title= OpenBSD forks, prunes, fixes OpenSSL |first=Larry |last=Seltzer |work=Zero Day |publisher=ZDNet |date=21 April 2014 |accessdate=21 April 2014}} 9. ^{{cite web |url=http://www.undeadly.org/cgi?action=article&sid=20140415093252 |title=OpenBSD has started a massive strip-down and cleanup of OpenSSL |first=Peter |last=Hessler |work=OpenBSD Journal |date=15 April 2014 |accessdate=24 April 2014}} 10. ^1 {{cite web |url=https://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/ |title=OpenSSL code beyond repair, claims creator of "LibreSSL" fork |first=Jon |last=Brodkin |work=Ars Technica |date=22 April 2014 |accessdate=24 April 2014}} 11. ^{{cite web |url=http://www.pcpro.co.uk/news/security/388309/heartbleed-libressl-scrubs-irresponsible-openssl-code |title=Heartbleed: LibreSSL scrubs "irresponsible" OpenSSL code |first=Jane |last=McCallion |work=PC Pro |date=22 April 2014 |accessdate=23 April 2014}} 12. ^{{cite web |url=https://www.phoronix.com/scan.php?page=news_item&px=MTY4NTc |title=OpenBSD Affirms That LibreSSL Will Be Portable |first=Michael |last=Larabel |work=Phoronix |date=9 May 2014 |accessdate=30 May 2014}} 13. ^{{cite web|first=Bob|last=Beck|title=LibreSSL: The first 30 days, and what the Future Holds Slides|accessdate=17 May 2014|date=17 May 2014|url=http://www.openbsd.org/papers/bsdcan14-libressl/mgp00003.html}} 14. ^{{cite mailing list |url=http://seclists.org/oss-sec/2014/q2/466 |title=Re: OpenSSL seven security fixes |date=5 June 2014 |accessdate=9 June 2014 |mailing-list=oss-sec}} 15. ^{{cite mailing list |url=https://marc.info/?l=openbsd-misc&m=140199662922801&w=2 |title=Re: new OpenSSL flaws |date=5 June 2014 |accessdate=9 June 2014 |mailing-list=openbsd-misc |last=de Raadt |first=Theo |authorlink=Theo de Raadt }} 16. ^1 {{cite web|url=https://www.imperialviolet.org/2014/06/20/boringssl.html|title=BoringSSL (20 Jun 2014)|last=Langley|first=Adam|date=20 June 2014|website=Imperialviolet.org|accessdate=21 June 2014}} 17. ^{{cite web|url=https://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/|title=Google unveils independent "fork" of OpenSSL called "BoringSSL"|last=Goodin|first=Dan|date=20 June 2014|accessdate=21 June 2014|work=Ars Technica}} 18. ^{{cite web|url=https://secure.freshbsd.org/commit/openbsd/ef62f9c8a51b8fb8ce21e1486986f8f3dc7f50a3|title=OpenBSD — lib/libssl/src/crypto/evp evp_aead.c e_chacha20poly1305.c|last=Sing|first=Joel|date=21 June 2014|accessdate=21 June 2014|archiveurl=https://archive.is/20140622060845/https://secure.freshbsd.org/commit/openbsd/ef62f9c8a51b8fb8ce21e1486986f8f3dc7f50a3|archivedate=22 June 2014|deadurl=yes}} 19. ^{{cite mailing list|url=https://marc.info/?l=openbsd-tech&m=140332790726752&w=2 |title=Boringssl and such |date=21 June 2014 |accessdate=28 October 2015 |mailing-list=openbsd-tech |last=de Raadt|first=Theo |authorlink=Theo de Raadt}} 20. ^{{cite web|url=https://secure.freshbsd.org/commit/openbsd/bb95c69c5dea2b7ae53fb1036904c27c038bd2b0|title=OpenBSD - lib/libcrypto/crypto getentropy_osx.c getentropy_solaris.c|date=8 July 2014|last=Beck|first=Bob}} 21. ^{{cite web|url=https://secure.freshbsd.org/commit/openbsd/1d7eab2186ba0e70b976372401977c2c784ef30a|title=OpenBSD — lib/libcrypto/crypto getentropy_linux.c|date=20 June 2014|last=Beck|first=Bob}} 22. ^{{Cite web |title=[Beta] Switch base to use private LibreSSL libaries [sic] |url=https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/304ca408000cd34559ef5319b4b5a6766d6eb35b |first=John |last=Marino|access-date= 9 November 2018}} 23. ^{{cite web|url=http://openelec.tv/news/22-releases/165-beta-openelec-6-0-beta-2-released|title=OpenELEC Mediacenter - [Beta] OpenELEC 6.0 Beta 2 released|first=Stephan|last=Raue|website=Openelec.tv}} 24. ^{{Cite web |title=PC-BSD Evolves into TrueOS |url=https://www.trueos.org/2016/09/01/pc-bsd-evolves-into-trueos/|access-date= 16 September 2016}} 25. ^{{Cite web |title=PC-BSD 10.1.2: an Interview with Kris Moore |url=http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-an-interview-with-kris-moore/ |first=Mark |last=VonFange |publisher=Official PC-BSD Blog |access-date= 15 October 2015}} 26. ^{{Cite web |title=LibreSSL enabled by default |url=http://www.voidlinux.eu/news/2014/08/LibreSSL-by-default.html |publisher=Void Linux |access-date= 15 October 2015}} 27. ^{{Cite web |title=Add DEFAULT_VERSIONS=ssl=XXX|url=https://svnweb.freebsd.org/ports?view=revision&revision=416965|website=Svnweb.freebsd.org}} 28. ^{{Cite web|title= Project:LibreSSL - Gentoo|url=https://wiki.gentoo.org/wiki/Project:LibreSSL|website=Wiki.gentoo.org}} 29. ^{{Cite web |title=OPNsense version 15.7 Released |url=https://opnsense.org/opnsense-version-15-7-released/ |publisher=OPNsense |access-date=15 October 2015}} 30. ^{{cite web|url=http://opensslrampage.org/post/83631316689/a-quick-recap-over-the-last-week|work=OpenSSL Valhalla Rampage|title=A quick recap over the last week|date=23 April 2014|accessdate=30 April 2014|last=Orr|first=William}}{{self-published inline|date=May 2014}} 31. ^{{cite web|url=https://secure.freshbsd.org/search?project=openbsd&q=libssl+calloc|title=OpenBSD LibreSSL CVS Calloc Commits|website=Secure.freshbsd.org}} 32. ^{{cite web|url=https://secure.freshbsd.org/search?project=openbsd&q=libssl+double+free|title=OpenBSD LibreSSL CVS Double Free Commits|website=Secure.freshbsd.org}} 33. ^{{cite web|url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/rsa/rsa_crpt.c.diff?r1=1.2&r2=1.3|title=OpenBSD LibreSSL CVS insecure seeding|website=Secure.freshbsd.org}} 34. ^{{cite web|url=https://secure.freshbsd.org/commit/openbsd/58777eed1cff7c5b34cbc026278f730176a6dbc2|title=OpenBSD LibreSSL CVS Kernel Seeding|website=Secure.freshbsd.org}} 35. ^{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=141314415604790 |title=LibreSSL 2.1.0 released |date=12 October 2014 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }} 36. ^{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=141809396501638 |title=LibreSSL 2.1.2 released |date=9 December 2014 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }} 37. ^1 {{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142193407304782 |title=LibreSSL 2.1.3 released |date=22 January 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 38. ^{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142543818707898 |title=LibreSSL 2.1.4 released |date=4 March 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 39. ^{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142656309518707 |title=LibreSSL 2.1.5 released |date=17 March 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 40. ^{{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=142678407219391 |title=LibreSSL 2.1.6 released |date=19 March 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 41. ^{{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=143404058913441 |title=LibreSSL 2.1.7 and 2.2.0 released |date=11 June 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 42. ^1 {{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=143635991232240 |title=LibreSSL 2.2.1 released |date=9 July 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 43. ^1 {{cite mailing list |url=http://marc.info/?l=openbsd-announce&m=143882451401333 |title=LibreSSL 2.2.2 released |date=6 August 2015 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Cook |first=Brent }} 44. ^{{cite mailing list|first= Bob|last= Beck|url= http://marc.info/?l=openbsd-tech&m=141346535617562|title= LibreSSL 2.1.1 released|date= 16 October 2014|mailing-list= openbsd-tech}} 45. ^1 2 {{cite web | url=https://github.com/libressl-portable/portable/blob/master/ChangeLog | title=LibreSSL-portable ChangeLog | publisher=LibreSSL}} 46. ^1 2 3 {{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=141486254309079 |title=OpenBSD 5.6 Released |date=1 November 2014 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Jacoutot |first=Antoine }} 47. ^{{cite web|url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/d1_both.c.diff?r1=1.6&r2=1.7|title=OpenBSD LibreSSL CVS OPENSSL_NO_HEARTBEATS}} 48. ^{{cite mailing list|url=https://marc.info/?l=openbsd-cvs&m=139776884925793&w=2|title=Remove support for big-endian i386 and amd64|author=Miod Vallat|mailing-list=openbsd-cvs}} 49. ^{{cite news|first=Nicole |last=Perlroth |title=Government Announces Steps to Restore Confidence on Encryption Standards|url=http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/|accessdate=9 May 2014|newspaper=The New York Times|date=10 September 2013}} 50. ^{{cite web | url=http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips | title=The future (or lack thereof) of LibreSSL’s FIPS Object Module}} 51. ^{{cite mailing list |url=https://marc.info/?l=openbsd-announce&m=140711256104278 |title=LibreSSL 2.0.4 released |date=3 August 2014 |accessdate=28 October 2015 |mailing-list=openbsd-announce |last=Beck |first=Bob }} 52. ^{{cite mailing list |url=https://marc.info/?l=openbsd-cvs&m=139715677231774 |title=Re: CVS: cvs.openbsd.org: src |date=10 November 2014 |accessdate=28 October 2015 |mailing-list=openbsd-cvs |last=Vallat |first=Miod }} External links
8 : 2014 software|C libraries|Cryptographic software|Free security software|Free software programmed in C|OpenBSD|Software forks|Transport Layer Security implementation |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。