Hacker News new | past | comments | ask | show | jobs | submit login

libressl has documentation. it's an OpenBSD project so you use the man pages.

http://man.openbsd.org/openssl




Unfortunately, libressl is not FIPS 140-2 compliant, so you can't leverage it for open source development of secure applications for the US government (though this is more to do with the certification headache than a fault of libressl itself)


Based on Ted's take on FIPS [1], I don't think that's likely to happen anytime soon.

I'm constantly thankful that I'm able to work somewhere that I don't have to worry about other people's bogus security checkboxes.

[1] https://marc.info/?l=openbsd-misc&m=139819485423701&w=2


I agree. Until someone convinces NIST to modernize and/or improve the FIPS standard, people who work with government agencies are stuck with it...


This is not a priority at all for the OpenBSD developers. Most of them are Canadian anyway, as I understand it.


That is actually understating it. The libressl developers purged the code base of the FIPS stuff as part of a policy. From here:

* https://marc.info/?l=openbsd-misc&m=139819485423701&w=2

"Note that FIPS mode isn't just worthless, it's actively harmful."


Unfortunately if you work with the US Government, there are situations where FIPS mode is required. This is why RHEL and CentOS still use OpenSSL...


Canada actually respects FIPS 140-2 certification (and cooperates in certifying implementations!), so this would very much be relevant in a Canadian context.


I guess this also matters: https://en.wikipedia.org/wiki/FIPS_140#Criticism It is very easy to see how this in practice lessens security.


If anyone really wanted FIPS 140-2 compliance for libressl they should pony up the money to get it certified instead of complaining about it on message boards.


They actively removed and refuse FIPS mode as policy.

https://marc.info/?l=openbsd-misc&m=139819485423701&w=2

No one that cares enough to use LibreSSL over OpenSSL would want FIPS as reintroducing it would make LibreSSL demonstrably worse. Anyone that requires FIPS doesn't know or care enough about security to have a dog in the fight.


> "But I need FIPS mode for blah blah." I notice nobody claims that there's any intrinsic value to FIPS mode. It's widely recognized as a worthless checkbox; now it's time to stand up to the clowns in charge and tell them the same thing. It's funny to compare how many people like to quote Gandhi's "Be the change that you wish to see in the world." with how few people actually like to be the change.

This is news to me! All I can say is, "Godspeed, Ted Unangst."


There are people in government that care about security. Unfortunately we aren't the ones that write the specifications/regulations.


Yes, this is why I had to stick to OpenSSL for my Linux distribution even though I would have preferred LibreSSL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: