openssl vs. libressl

René J.V. Bertin rjvbertin at gmail.com
Fri Nov 13 01:33:18 PST 2015


On Thursday November 12 2015 15:56:58 Jeremy Huddleston Sequoia wrote:

If LibreSSL should become the default, the best compromise in this particular case might yet be to provide a variant that allows Qt to build with the shipped OpenSSL version rather than against the "system" (MacPorts) version.

I don't really want into this kind of discussion, but 

>Libressl doesn't "emulate" OpenSSL.  It is a derivative of OpenSSL with a focus on better architecture and security. 

AFAIK it's a rewrite (has to be, to avoid licensing/copyright issues) that aims to be API compatible. No matter its other goals of being better, that still means it emulates the original:

emulation ‎(plural emulations)
-> 1. The endeavor or desire to equal or excel someone else in qualities or actions.
2. (obsolete) Jealous rivalry; envy; envious contention. 
3. (computing) Running a program or other software designed for a different system.

Point 3. is evidently not applicable here, despite the fact we are in the context of computing.

> Qt should stop using them (even with OpenSSL).

That's really cheap and easy to say. Qt is a middleware that's in a position (system GUI API) not unlike that of major OSes which have to contend with backward compatibility. Telling it to "stop using them" is not unlike telling Apple they should stop shipping anything but the latest version of a whole range of things shipped with the OS (python comes to mind). There's a responsibility to ensure that users who do not know better aren't forced to rely on outdated security mechanisms, not a hard obligation to know better and protect all users against every possibly foolish thing they might use the software for. I am not enough of a security expert to be certain that there are *no* use cases in which SSLv2 is good enough and possibly even preferable over more secure methods.
And just like (I presume) current OS X doesn't rely on major features known to have issues in the Python versions shipped, Qt probably doesn't use SSLv2 itself or else that warning would have had a different level of urgency. The warnings come from an app (qtdiag) that tests which SSL APIs are available, possibly because the presence was detected at build and Qt is designed to be deployed in binary form to systems with a different OpenSSL version installed.

In the meantime I'll be replacing libressl with good ole openssl again.

R


More information about the macports-users mailing list