# Replacing OpenSSL with LibreSSL



## toprank (Feb 7, 2018)

What's the correct procedure to completely replace OpenSSL with LibreSSL in FreeBSD 11.1-RELEASE?


----------



## drhowarddrfine (Feb 7, 2018)

80% of all questions can be answered with, "Look in the Handbook". The other 18% are solved by Googling.


----------



## SirDice (Feb 7, 2018)

https://wiki.freebsd.org/LibreSSL

Note that I don't recommend removing OpenSSL and replacing it with LibreSSL for the base. At least not yet. Better leave the base system as-is to avoid any complications during updating or with any of the base OS tools.

For ports it's not a problem, I have many servers using LibreSSL. Some ports have problems with it though, it's not a 100% in-place replacement. Problematic ports can usually be fixed by enabling/disabling certain options.


----------



## xtaz (Feb 7, 2018)

Agreed with what SirDice has said. I only use it for ports and keep the base OpenSSL as it is. So I change make.conf (inside poudriere) so that it has DEFAULT_VERSIONS+=ssl=libressl. Kick off a poudriere build and then a pkg upgrade to reinstall everything.

Occasionally some ports fail to build with it and you have to manually apply a patch or change the options. ftp/curl for example needs the TLS_SRP option switched off. databases/pgbouncer fails to build without a manually applied patch. For the most part though things tend to work fine.

I suspect that one day the OpenSSL in the base system will either be removed entirely in favour of the port version, or replaced with LibreSSL. But until this happens I would stick with OpenSSL there and not poke the beast too much.

I mitigate this by using port versions for everything. So OpenSSH for example is the port version linked to LibreSSL from ports. I use very little base software.


----------



## sidetone (Feb 7, 2018)

toprank said:


> What's the correct procedure to completely replace OpenSSL with LibreSSL in FreeBSD 11.1-RELEASE?


My guess is that this is likely for FreeBSD 12. As xtaz and SirDice have said, ftp/curl's and other ports' full or default features are incompatible with it.

For FreeBSD 11.1, starting with
	
	



```
DEFAULT_VERSIONS+=ssl=libressl
```
, my working theory of make.conf to keep all security features for LibreSSL is to use GSS-API from ports with SET/UNSET

```
OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
# or for specificity, since few ports default to GSSAPI_BASE and OpenSSL
ftp_curl_UNSET= GSSAPI_BASE
ftp_curl_SET= GSSAPI_HEIMDAL # or GSSAPI_MIT
```
, and/or to see if it's possible to set the default to OpenSSL for programs that absolutely require it, leaving LibreSSL the default for other ports. I'm uncertain how to proceed with this:

```
# Is the following a such option?
ftp_curl_DEFAULT_VERSIONS+=ssl=openssl  # ????
```


----------



## eirnym (Aug 18, 2018)

ftp/curl will can be compilled with a few SSL implementations. one of them is… SSL in the base system, not from the ports

Also security/openssl and security/libressl are mutually exclusive


----------

