# Using LibreSSL



## 6502 (Jul 28, 2019)

Is it good idea to use LibreSSL instead of OpenSSL?


----------



## xtremae (Jul 28, 2019)

There is/was a discussion here.


----------



## Phishfry (Jul 28, 2019)

I also wanted to note that both OPNSense and HardenedBSD backed off using LibreSSL.
For HardenedBSD, Shawn said it was manpower issue to keep both. OPNSense was doing a version with LibreSSL for a while.


----------



## Remington (Jul 28, 2019)

I used to have LibreSSL on my server and decided to switch back after some ports required OpenSSL to build.  I'll wait until FreeBSD decides to switch to LibreSSL then that will force maintainers to patch their ports to use LibreSSL.  In the meantime, you're better off staying with OpenSSL.


----------



## SirDice (Jul 29, 2019)

Yeah, I too had it set for a while. But too many ports either failed to build or had other issues. So I switched back to the base OpenSSL.


----------



## drhowarddrfine (Jul 29, 2019)

In addition, if performance is an issue, libreSSL is slower than openSSL.


----------



## olafz (Jul 29, 2019)

I have switched to security/libressl, it is used by several ports, e.g. www/nginx and security/openssh-portable. No problems so far.


----------



## drhowarddrfine (Jul 29, 2019)

olafz Are you sure about that? I've never used libressl with nginx.


----------



## SirDice (Jul 29, 2019)

drhowarddrfine said:


> I've never used libressl with nginx.


It's not the default. If you set `DEFAULT_VERSIONS+= ssl=libressl` then nginx would indeed be built against LibreSSL.


----------



## olafz (Jul 29, 2019)

drhowarddrfine said:


> olafz Are you sure about that? I've never used libressl with nginx.


Yes.

`root@annie:~ # pkg query %ro libressl
databases/mariadb103-server
lang/ruby25
databases/mariadb103-client
mail/postfix
security/php72-openssl
security/openssh-portable
security/py-cryptography
archivers/libzip
archivers/libarchive
lang/python27
ftp/curl
dns/ldns
lang/python36
www/nginx
security/p5-Net-SSLeay
devel/libevent`


----------



## drhowarddrfine (Jul 29, 2019)

olafz Your previous post gives the impression that libressl is the default. It is not as SirDice also pointed out.


----------



## olafz (Jul 30, 2019)

drhowarddrfine said:


> olafz Your previous post gives the impression that libressl is the default. It is not as SirDice also pointed out.


It is as I have `DEFAULT_VERSIONS+= ssl=libressl` defined.


----------



## drhowarddrfine (Jul 30, 2019)

olafz You are confused. That is not  a nginx default. That is your personal system configuration.


----------



## olafz (Jul 30, 2019)

I have never said that libressl is the default.


----------



## scottro (Jul 30, 2019)

Just to clarify for people glancing at the thread, the OP has set it as default in their /etc/make.conf but it is not the default in an install of FreeBSD. (Nor do I think the OP implied it was, but a new user may get slightly confused).


----------



## xtaz (Jul 30, 2019)

OpenSSL has come a long way since LibreSSL was created. It now has several paid maintainers who have modernized the codebase and eliminated most of the problems that caused the LibreSSL fork. And they continue to improve it. This can be seen by the fact OpenSSL supports TLSv1.3 and LibreSSL still does not.

I stuck with LibreSSL for a couple of years but moved back to OpenSSL when 1.1.1 came out.


----------



## drhowarddrfine (Jul 30, 2019)

olafz said:


> I have never said that libressl is the default.





olafz said:


> I have switched to security/libressl, it is used by several ports, e.g. www/nginx and security/openssh-portable.


Not to belabor the point but do you see the confusion?


----------



## olafz (Jul 31, 2019)

drhowarddrfine said:


> Not to belabor the point but do you see the confusion?


Not at all. I have never said that libressl is the default.


----------

