OpenBSD Journal

Libressl 2.1.2 released.

Contributed by tbert on from the securing-the-gost-of-camelia dept.

Brent Cook writes to tech@openbsd.org:
We have released LibreSSL 2.1.2, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon.

This release greatly improves performance, interoperability and portability, while continuing to be easy to build and integrate into your software projects.

This release includes:

  • Two important cipher suites, GOST and Camellia, have been reworked or reenabled, providing better interoperability with systems around the world.
  • A preview version of the libtls library, a modern and simplified interface for secure client and server communications, is now packaged and can be built optionally for testing. Feedback welcome.
  • Initial support for Microsoft Windows 32-bit and 64-bit flavors has been added for mingw-w64 targets. This can be used to generate native libraries that are usable in other Windows development environments as well.
  • Assembly acceleration of various algorithms for ELF (Linux, BSD, Solaris) and OS X systems are enabled for x86_64 CPUs. More optimizations may be enabled in later releases. These optimizations are disabled with the --disable-asm configure flag.
  • The arc4random_buf(3) calls on FreeBSD and OS X are now replaced with the OpenBSD versions. This fixes current problems with seeding and fork safety until these OS's built-in implementations can be improved. See these code commits for details:

https://github.com/libressl-portable/portable/commit/8abf8e1e1577f51deb5c3bc01f076205f1bfb268
https://github.com/libressl-portable/portable/commit/0aeb93b9fc9ecf0f9c2e98444545de485168823d

The LibreSSL project also continues improvement of the codebase to reflect modern, safe programming practices.

We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

(Comments are closed)


Comments
  1. By Blake (78.192.104.249) on 2112.net

    I wish the Debian people would get their act together & import this.

    I upgraded FreeRadius the other day on a client's lab box, and the new version completely refuses to start if it's been linked against a version of OpenSSL known to be vulnerable to Heartbleed.

    Including Debian's own patched packages...

    Comments
    1. By Anonymous Coward (91.183.56.64) on

      > I wish the Debian people would get their act together & import this.
      >
      > I upgraded FreeRadius the other day on a client's lab box, and the new version completely refuses to start if it's been linked against a version of OpenSSL known to be vulnerable to Heartbleed.
      >
      > Including Debian's own patched packages...
      >
      >

      Although this is not the way to go, there is this option in security parameters: allow_vulnerable_openssl = yes

    2. By feld (2001:19f0:5c00:8014::64) on

      > I wish the Debian people would get their act together & import this.
      >
      > I upgraded FreeRadius the other day on a client's lab box, and the new version completely refuses to start if it's been linked against a version of OpenSSL known to be vulnerable to Heartbleed.
      >
      > Including Debian's own patched packages...
      >
      >

      FreeRadius is quite the quirky beast. The package on FreeBSD breaks if the OpenSSL in base is patched via a freebsd-update.


      libssl version mismatch. Built with: 90818f Linked: 90819f


      Inexcusable.

    3. By roskegg (50.64.56.205) on http://newlisp.org/

      > I wish the Debian people would get their act together & import this.

      Unlikely. Debian has been compromised for a very long time. Now they are irrelevant. Simple package upgrades and downgrades can lead to the bulk of your core OS being uninstalled.

      Debian had a compromised random number generator for a number of years, and they worked swiftly to prevent a meeting between Packard, Getty's, and the OpenBSD team that could have started to fix the X11 security mess back in 2006.

      http://lwn.net/Articles/625263/

      Comments
      1. By Adam P (71.170.174.13) on

        > > I wish the Debian people would get their act together & import this.
        >
        > Unlikely. Debian has been compromised for a very long time. Now they are irrelevant. Simple package upgrades and downgrades can lead to the bulk of your core OS being uninstalled.
        >
        > Debian had a compromised random number generator for a number of years, and they worked swiftly to prevent a meeting between Packard, Getty's, and the OpenBSD team that could have started to fix the X11 security mess back in 2006.
        >
        > http://lwn.net/Articles/625263/

        You just linked to you saying the same things on another site.

        > Now they are irrelevant.

        Debian is irrelevant? Please elaborate.

        > Simple package upgrades and downgrades can lead to the bulk of your core OS being uninstalled.

        Very random complaint. Are you referencing something in particular? Simple shell commands can lead to the bulk of your core OS being removed too... rm -rf /

        > they worked swiftly to prevent a meeting between Packard, Getty's, and the OpenBSD team that could have started to fix the X11 security mess back in 2006.

        This was responded to in your other post "The maintainer of the X11 port to OpenBSD has also served as the co-lead of X.Org's security team the past few years, and was a member of the X.Org Board of Directors as well. OpenBSD is already as involved as their time and desire allows them to be.

        The biggest obstacle to getting these issues fixed is lack of developer time, not a lack of meetings between big name people with already full schedules."

        Comments
        1. By roskegg (50.64.56.205) on http://newlisp.org/

          > > http://lwn.net/Articles/625263/
          >
          > You just linked to you saying the same things on another site.

          I guess DRY is only appropriate when coding up a RESTful website. :)

          > > Now they are irrelevant.
          >
          > Debian is irrelevant? Please elaborate.

          Irrelevant to me personally, and to the future of operating systems in general. Not irrelevant to anyone that still uses it to run software.

          > > Simple package upgrades and downgrades can lead to the bulk of your core OS being uninstalled.
          >
          > Very random complaint. Are you referencing something in particular? Simple shell commands can lead to the bulk of your core OS being removed too... rm -rf /

          Package management was the thing that made Debian relevant. It had the best package management. BSD has pretty much caught up. When you use the crown jewel package management software to install a new package, and hurriedly have to ^C to stop the package manager from deleting huge swathes of packages because of some simple package conflict. Since Debian has no "base system", these package removals start to cut into what we consider the base system.

          The conflict resolution is really baroque and produces terrible results. Worse than it used to. Debian used to punt: here is a conflict, you figure it out. And that worked pretty well.

          > This was responded to in your other post "The maintainer of the X11 port to OpenBSD has also served as the co-lead of X.Org's security team the past few years, and was a member of the X.Org Board of Directors as well. OpenBSD is already as involved as their time and desire allows them to be.

          And I replied to you in the same place: glad to hear that things have improved so much in the past 8 years, I appreciate the work Matthieu Herrb has done.

          > The biggest obstacle to getting these issues fixed is lack of developer time, not a lack of meetings between big name people with already full schedules."

          Matthieu has said the same thing. My question is: how many more developers are needed, and what will it cost to find qualified ones. Also, what architectural things in X make it harder to secure. What insecure things in X could be made secure with better support from the underlying operating system.

        2. By Anonymous Coward (50.64.56.205) on

          > The biggest obstacle to getting these issues fixed is lack of developer time, not a lack of meetings between big name people with already full schedules."

          I've seen a lot of NIH (not invented here) in the software world. Without some agreement in principle from team leaders, developer effort is easily wasted, and developers burnt out. Developer time is important and needed. I think in war terms; a simple cup of coffee between two generals can avoid thousands of casualties.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]