-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plans on incorporating LibreSSL #428
Comments
From the 2.1.2 (2014-12-09) release notes:
|
+1 for some kind of replacement. I know Google has BoringSSL in Chrome, but it doesn't seem to be a very publicized project; maybe they don't really want external dependents. |
@domenic or maybe they don't care about dependents but they deem their changes to be too experimental and Chrome/Android specific [1]. I've read they do interchange code with LibreSSL and license all there stuff under ISC because of that [1][2]. [1] https://www.imperialviolet.org/2014/06/20/boringssl.html |
Is mingw compatible with the VS compiler/linker yet? I would think that would be a problem as long as VS is used to build iojs. |
From @bcook-r7 the maintainer of libressl-portable:
|
Are they planning on supporting MSVC builds? |
@piscisaureus I can imagine, unfortunately it doesn't look like that's what they're planning: libressl/portable#59 (comment) |
That pretty much kills it for us, doesn't it? What do we do with this issue? Close? Aside, I looked at the libtls API when it was first announced and I doubt it would be a good fit for the tls module in io.js. The API seems to be designed for the common case; reasonable design choice but the way TLS is implemented in io.js is not the common case. |
@bnoordhuis can you explain a bit what you mean with "the way TLS is implemented in io.js is not the common case"? |
@timkuijsten libtls caters to synchronous socket-based TLS (at least, that's the impression I get) but the TLS layer in io.js is neither synchronous nor does it map directly to sockets. There are also a number of knobs that libtls doesn't appear to expose. |
That sounds right @bnoordhuis. While there are some recent changes to make libtls support non-blocking operation as well, but this work is ongoing and not quite ready. |
couldn't as a first step LibreSSL with the legacy openssl bindings be dropped in? that would give some benefits off the bat like chacha20/poly1305 |
in other news doesn't look like libressl has implemented the chacha20/poly1305 aead yet |
Hi @calvinmetcalf - are you having trouble getting those ciphers to work with LibreSSL? I believe they are the default when using TLS 1.2, unless I have misunderstood the problem. I just checked with 'openssl s_client':
|
Yes they are both in there but I wasn't able to find the combined aead in On Mon, Jan 19, 2015, 5:26 AM Brent Cook [email protected] wrote:
|
More specifically, compiling node with libressl works and allows encrypting On Mon, Jan 19, 2015, 6:21 AM Calvin Metcalf [email protected]
|
Got it, thanks for the clarification. |
Looks like this isn't going to viable for the foreseeable future? Re-open if it is. |
@calvinmetcalf, you don't happen to have an integration branch you were working from, do you? I wouldn't mind taking a look before the next LibreSSL release. |
I just installed libressl and compiled io.js with the flags to use the On Sat, Jan 31, 2015, 11:24 AM Brent Cook [email protected] wrote:
|
FWIW, only 5 of the 13 OpenSSL vulnerabilities announced today affected LibreSSL as well. The two high-severity ones were not among them. Details: http://undeadly.org/cgi?action=article&sid=20150319145126 |
https://news.ycombinator.com/item?id=9217211 LibreSSL 2.2.x is expected to be released later this year around August. |
2.0.0 and later don't work with libressl. Earlier versions worked fine. |
I am aware. |
fyi: I started a node branch that allows to build node with libressl: https://github.com/Gottox/node |
Posting now that libressl has removed the functions neccessary for this ugly hack to work as of 3.9.0 . Strange how github won't let me upload this... https://pastebin.com/AhK7ynSu Of note; SetRsaOaepLabel is probably leaking memory using libre or openssl. This patch is a pile of miserable hacks from various sources. The functionality of nodejs-20.11.1 was tested against building recent versions of firefox and invoking via commandline, which was found working. |
Is there any experience with or are there any plans on replacing OpenSSL with the leaner and meaner LibreSSL with it's new libtls API now that both io.js and LibreSSL have there first releases out?
The text was updated successfully, but these errors were encountered: