LibreSSL 3.8.0 arrives with many changes and improvements

Darkcrizt

4 minutes

FreeSSL

LibreSSL is a fork of OpenSSL developed by the OpenBSD project.

The developers of the OpenBSD project recently announced the release of the portable edition of the package. "FreeSSL 3.8.0", version in which several changes and improvements focused on stability and compatibility have been made.

For those who are unaware of LibreSSL, you should know that this is an open source implementation of the protocol TLS developing a fork of OpenSSL intended to provide a higher level of security. LibreSSL was initially developed as an intended replacement for OpenSSL on OpenBSD, and was ported to other platforms once a stripped-down version of the library was stabilized.

The LibreSSL project focuses on high-quality support for the SSL/TLS protocols by removing unnecessary features, adding additional security features, and significant cleanup and rework of the code base.

Main new features of LibreSSL 3.8.0

LibreSSL version 3.8.0 it is considered an experimental version which develops functions that will be included with OpenBSD 7.4. At the same time, stable versions of LibreSSL 3.6.3 and 3.7.3 were formed, in which various bugs were fixed.

In this new version of LibreSSL 3.8.0, it is highlighted that improved endian.h compatibility with hto* and *toh macros, In addition to adding the support for SHA-2 and SHA-3 truncated and the internal SHA code cleanup and rework process has begun.

Another notable change is the rewritten internal functions BN_exp() and BN_copy(), as well as replacing the implementation of the BN_mod_sqrt() function.

In addition to this, it is also highlighted that instructions added assembler for architecture AMD64 use endbr64 instructions (Terminate Indirect Branch).

It also stands out that it was added a fix for a poorly thought out change in OpenSSL 3 that broke support for separation of privileges in libtls, In addition, the BoringSSL code was ported to verify the rules defined in RFC 5280 and the libcrypto translation continues to use the CBB (bytebuilder) and CBS (bytestring) interfaces.

On the other hand, it is highlighted that the BoringSSL RFC 5280 policy verification code was imported and used
to replace the old exponential timecode, in addition to removing support for GF2m:BIGNUM since it does not support the binary extension, removing most of the public symbols which were deprecated in OpenSSL 0.9.8.

Of the other changes that stand out from this new version:

  • Removed X9.31 public API (RSA_X931_PADDING is still available).
  • Removed ciphertext stealing mode.
  • Removed support for SXNET and NETSCAPE_CERT_SEQUENCE, including the
    openssl(1) command nseq.
  • Dropped proxy certificate (RFC 3820) support.
  • POLICY_TREE and its related structures and APIs have been removed.
  • Fixed bug check for i2d_ECDSA_SIG() in ossl_ecdsa_sign().
  • Fixed detection of extended operations (XOP) on AMD hardware.
  • Fixed error handling in tls_check_common_name().
  • Added missing pointer invalidation in SSL_free().
  • Fixed X509err() and X509V3err() and their internal versions.
  • Significantly improved test coverage of BN_mod_sqrt() and GCD.
  • As always, new test coverage is added as bugs and subsystems are fixed
    they are cleaned.

Finally, if you are interested in knowing more about it, you can consult the details In the following link.

How to install the new version of LibreSSL?

For those interested in being able to install this new version, they should know that at the moment it has not reached most Linux distributions, so the installation currently available is compiled the package on your own.

But don't worry, the LibreSSL build It is very simple and for this you only have to open a terminal and run the following commands (you must have the following dependencies automake, autoconf, git, libtool, perl and git).

The first thing is to get the source code, which you can do with this command:

git clone https://github.com/libressl/portable.git

Once this is done, now we are going to prepare the way to carry out the compilation, for this we enter the folder that contains the source code of LibreSSL and we are going to type:

cd portable ./autogen.sh ./dist.sh

Once this is done, we proceed to compile with:

./configure make check make install

Or if you prefer to do it with CMake:

mkdir build cd build cmake .. make make test

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.