By: Walker Rowe, February 09, 2017 (10:50 AM)

LibreSSL Replacement for OpenSSL

LibreSSL Replacement for OpenSSL

The OpenSSL encryption tool is built into most versions of Linux and powers almost all SSL for websites, disk and encryption, and encryption built into chat, Tor, and other programs. It also works on Windows. It’s also illegal to export it to Iran, North Korea, and certain other countries. A US government regulation that is regularly ignored.

But it is old, having its roots in a project started in 1995. So OpenBSD funded a project called LibreSSL to give it an overhaul. Google too has created BoringSSL, which they give away for free too. But Google says it is not for public use, since they will make changes in the future that would break existing code. Google also says they will share their code with LibreSSL.


The Heartbleed Bug Shines the Spotlight on OpenSSL

Most people in the world probably never even heard about OpenSSL until the Heartbleed bug was splashed across the front page of the world’s newspapers in 2014. That let hackers dump the credentials of users logging into websites by exposing its keys. With the spotlight shining on the OpenSSL foundation, the world learned that only 4 programmers were working to maintain the world’s most important encryption software. That is when LibreSSL was launched.

What LibreSSL and BoringSSL did was take a fork off the OpenSSL project. That means they copied the code as it existed on a certain date and started with that as a basis. But the word fork suggests they could merge it back into the OpenSSL code project. But that remains to be seen and is not a stated goal.

OpenSSL Spaghetti Code

The problem with a product like OpenSSL is year after year the developers pile on new features and algorithms. When a software product grows like this it can turn into a monster that programmers call spaghetti code. That means it is so large and scattershot that it is difficult for other programmers to read and understand and thus fix. And it has not incorporated the security best practices learned since 1995, leaving it vulnerable to further hacking. Plus there is not much thorough documentation, which is odd for such an important product.

All of that really means nothing to the average user who never looks at the C source code upon which OpenSSL is written. They are still going to use it the same way they used it before. But the authors of the product say their changes makes it easier for other developers, like cell phone manufacturers, to add encryption to their products. And LibreSSL plans to add new features at a faster rate than the regular OpenSSL project. Plus they will add security features that are absent in certain operating systems upon which OpenSSL runs, thus bringing improved cryptographic support there.

What is OpenSSL?

You use OpenSSL for many things. Verisign and other companies that issue SSL certificates use it to generate keys. Android, Apple, Microsoft, and other systems that use the AES encryption algorithm to encrypt disk and individual files use it as well. And persons who want to encrypt email or use keys instead of passwords to login to servers (via SSH) use it to create keys as well. And web browsers and servers use it to handle SSL.

But OpenSSL does not just create keys. It is loaded with every imaginable encryption and hashing algorithm, like DES3, Blowfish, SHA-1, RSA, etc. All of that would be complicated for a developer to code, so it made sense that it all came together under the OpenSSL open source project umbrella.

OpenSSL and Encryption

OpenSSL did not invent encryption. There is nothing secret about the OpenSSL code or the algorithms built there. You can download the OpenSSL code right here. What makes it difficult to crack is the almost impossible nature of discovering the keys fed into those algorithms.

OpenSSL is the collection of algorithms invented by mathematicians over history, like William Shannon, a mathematician who worked at AT&T Bell Labs in the 1940s, and other mathematicians working at Princeton, like John Nash, and of course Bletchley Park, which is where Alan Turing worked.

The US government published its first encryption standard in 1970. RSA was developed in 1977, funded in part by the American Department of Defense. But it all began with Euclid, who in the 4th century AD first put forth the first theorems about prime numbers. Encryption is based on on the difficulty of determining whether a number is prime. For example, an SSL key is the product of two prime numbers. A computer has to try every possible factor to see if any divide that. That process can take years. Even ECC uses prime number numbers. It is considered the latest and greatest algorithm for protecting web pages. Yet it was developed way back in 1985.

How to Upgrade

It’s fairly easy to replace OpenSSL with LibreSSL on Linux systems. Following these instructions, you just download the source code and compile it.

Then you get the before and after view by typing openssl to open its command prompt and showing the version:

OpenSSL> version
OpenSSL 1.0.2g 1 Mar 2016

OpenSSL> version
LibreSSL 2.1.6

Why Replace OpenSSL if Works?

OpenBSD explains their reasons for taking on the LibreSSL challenge in this presentation. In sum they say, “The Current OpenSSL API in use is difficult to use and error prone.” And like we said, they jumped in when the Heartbleed bug was discovered.

Most of the reasons they give for replacing the code only a programmer will understand. But something the layman will understand is since their first release in 2014 researchers have found 22 “high risk” security issues with LibreSSL and 43 with OpenSSL.

Part of this is due, no doubt, because they have simplified the product, making it easier to follow. They reduced it from 728,000 lines of code to 432,000. They have also added additional algorithms and support libraries to the tool, like poly1305, used to authenticate messages based upon the MAC address (like a serial number) of a device.

And they made simpler the implementation of TLS by moving it to a separate library (subroutine). TLS is also known as SSL 2.0. It is what encrypts HTTPS web sites. Most websites now use TLS.

So Should You Upgrade?

Should you replace OpenSSL on all your servers? Probably not. It would be better to see what RedHat, Ubuntu, and CentOS do. Obviously OpenSSL has some problems. After all, why would Google write their own implementation if it was error free? But if there were to be a new high profile security flaw found in OpenSSL users can swap that out with LibreSSL right away. Users can replace OpenSSL with LibreSSL without breaking anything, as its interfaces are the same.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies