On 2022-01-28, Laura Smith <n5d9xq3ti233xiyif...@protonmail.ch> wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Friday, January 28th, 2022 at 14:43, dansk puffer > <danskpuf...@outlook.com> wrote: > >> Are there any major security differences between libressl and openssl >> nowadays? From what I read the situation for openssl improved and some Linux >> distros switched back to openssl again with mostly? OpenBSD remaining to use >> libressl. > > For me at least, my main beef with Libressl is that it has seemingly mostly > achieved its security posture by removing functions. > > Unfortunatley the functions removed are not obscure ones, but more common > ones such as, IIRC, various very useful certificate and PKCS11 related > functions.
I think you'll need to back that up with some examples. Lots of code has been removed but much of that is not API-affecting. In particular *common* ones are not removed. Almost nothing in the ports tree uses OpenSSL. The exceptions are nsca-ng (PSK was removed; almost nothing uses that), opensmtpd-filter-dkimsign (libressl doesn't have all of the ed25519 api from newer openssl yet), sslscan (uses a special build with some outdated protocols enabled so that it can scan a server to see what it's using), and libretls (implementation of the libtls API against OpenSSL backend, used for testing portable versions of some OpenBSD software). That's all. There are some functions from OpenSSL 1.1+ API that haven't been added to LibreSSL yet, though these days many of the ones which are _actually_ used by various software have been added. (Besides, not adding new functions that were added to OpenSSL after LibreSSL was forked is not the same thing as removing functions.)
