
The state of LibreSSL in FreeBSD - attilagyorffy
https://attilagyorffy.com/2016/07/02/the-state-of-libressl-in-freebsd/
======
cm3
Outside of the BSDs, Void Linux is a linux distro that uses LibreSSL instead
of OpenSSL and they also have a stable musl flavor (no glibc).

~~~
anonbanker
Gentoo ~x86/~amd64 also supports LibreSSL with the "libressl" USE flag. Makes
for a great hardened (Grsecurity/PaX) install for servers/chromebooks.

~~~
cm3
Is there also a Gentoo profile for a system-wide clang/llvm? Add libressl and
musl (instead of glibc), and it would be quite a different and advantageous
linux distro.

~~~
anonbanker
not sure about clang/llvm, but you can definitely build with musl or uClibc
rather than glibc.

Gentoo is largely what you make it, while Void is about sane defaults.

------
hiphopyo
It's awesome that cool things from OpenBSD are being ported over to FreeBSD,
but why not just use OpenBSD from the get-go? It's already a struggle having
to deal with FreeBSD's outdated version of pf.

iTWire - Crypto: FreeBSD playing catch-up, says De Raadt:
[http://www.itwire.com/business-it-news/open-
source/62641-cry...](http://www.itwire.com/business-it-news/open-
source/62641-crypto-freebsd-playing-catch-up-says-de-raadt)

~~~
aphextron
FreeBSD and OpenBSD are ideologically opposed. FreeBSD is free as in freedom,
OpenBSD is free as in beer.

~~~
Teckla
Both FreeBSD and OpenBSD are BSD licensed.

Why do you think FreeBSD is free as in freedom?

------
sverige
Good news for FreeBSD. I agree that LibreSSL is the best bet for the future.

~~~
ryuuchin
There also BoringSSL[1] but that might be even more of a departure than
LibreSSL in terms of API compatibility. I still think it's surprising that we
don't see more BoringSSL being used especially with nginx.

[1]
[https://boringssl.googlesource.com/boringssl/](https://boringssl.googlesource.com/boringssl/)

~~~
detaro
Why would you use it, if the people making it explicitly recommend against you
doing so?

~~~
jaas
There are some good reasons not to use it. Primarily the lack of API stability
and that, as you mention, the people making it caution against it.

But to answer your question, why would someone choose to use it anyway? One
reasonable justification is that many people believe (probably myself
included) that the quality is superior to openssl or libressl. The APIs are
unstable but the flip side of that coin is that they're probably better. Also
the engineering practices behind boringssl have lead to what I would call
relatively high quality code. It's well structured, clear, and maybe less
likely to suffer as many serious bugs as the alternatives. Time will tell.

Not that I'm recommending it for everyone, just answering your question.
Quality is often in the eye of the beholder, use what works best for you.

------
azinman2
Isn't it not yet ready for production?

~~~
aninteger
This really depends on what your production environment requires. LibreSSL is
mostly API compatible with OpenSSL but removes FIPS and support for esoteric
platforms. If your production environment requires Windows 3.1 or big endian
amd64 then probably LibreSSL is not ready for your production environment.
Seriously though some of us are already using LibreSSL in production without
problems.

