#libressl

Alpine Linux 決定將 OpenSSL 換成 LibreSSL

之前看到 Alpine Linux 是從 Docker 這邊看到的，可以弄出還蠻小巧的 image… 前幾天看到他們宣佈打算將 OpenSSL 換掉，換成 LibreSSL：「[alpine-devel] Alpine edge has switched to libressl」。而且理由也講的頗直接，覺得 OpenSSL 的改善速度還是不滿意，而且市場上有其他還不錯的方案可以選： While OpenSSL is trying to fix the broken code, libressl has simply removed it. 這樣 LibreSSL 又多了生力軍，之前比較大的應該只有 OpenBSD…

OpenBSD 5.6 is Out!

OpenBSD 5.6 released today, November 1, 2014 — like clockwork as always.

OpenBSD 5.6 is of course the first OpenBSD release with LibreSSL, the now-famous fork of the OpenSSL library. But while LibreSSL is an important milestone for OpenBSD, there are many other things in the OpenBSD 5.6 release that warrant attention as well.

If you’re curious about what’s new in OpenBSD 5.6, you can get a sneak…

Provide a ressl config function that explicitly clears keys. Now that ressl config takes copies of the keys passed to it, the keys need to be explicitly cleared. While this can be done by calling the appropriate functions with a NULL pointer, it is simpler and more obvious to call one function that does this for you.

Add a new API function SSL_CTX_use_certificate_chain() that allows to read the PEM-encoded certificate chain from memory instead of a file. This idea is derived from an older implementation in relayd that was needed to use the function with a privep'ed process in a chroot. Now it is time to get it into LibreSSL to make the API more privsep- friendly and to make it available for other programs and the ressl library.