Skip to content ↓ | Skip to navigation ↓

OpenBSD founder Theo de Raadt has created a fork from OpenSSL called LibreSSL because the current version is “too much of a mess.” LibreSSL will run on multiple operating systems and will be free of charge.

Is a new SSL fork enough to solve OpenSSL problems, or should Raadt start from scratch?

Listen to episode 143 of our Security Slice podcast and hear Craig Young, Ken Westin and Tim Erlin discuss why cryptography should be a team effort, why market pressures have different impacts on open source software, and how to ask the right questions about open source vs. commercial cryptographic solutions.

Click Here to Listen to the Podcast


More Podcasts:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • William Orr

    First, it's worth noting that I'm fully in the LibreSSL camp.

    But this particular podcast is very disconcerting in that it totally ignores Mozilla's nss, gnutls and PolarSSL. It also overlooks the fact that it's non-trivial just to switch your application to a different SSL implementation. It requires a considerable amount of effort to switch to a new API. The fact that LibreSSL is going to try and remain API-compatible with OpenSSL makes it especially compelling, since it will be a drop-in replacement for OpenSSL.

  • These are good points. There are more than a dozen projects/products for implementing SSL and our goal was not to discuss all of the alternatives to OpenSSL and their relative strengths and weaknesses. For an application developer it does certainly take effort to migrate between SSL libraries but in general for web site or mail server administrators it is not such a big deal as projects like Apache, Lighttpd, Postfix, and others tend to support more than just OpenSSL. Keeping LibreSSL API compatible with OpenSSL does make it attractive from a development cost perspective but our discussion was aimed more toward the security aspects. On a side note, I think it is worth mentioning that some of the OpenSSL alternatives have been slow to adopt newer standards such as TLSv1.2 and AES GCM.

<!-- -->