As the online community grapples with the Heartbleed bug and the swath of mass password-changing hysteria left in its wake, the folks at OpenBSD are getting their hands dirty fixing the core of the problem: the OpenSSL encryption scheme.
What began as a massive “strip-down and cleanup” of the popular open-source SSL/TSL library has evolved into the creation of an entirely new version of the scheme, called LibreSSL. Forked from OpenSSL, the LibreSSL protocol is a simpler version of the project that has removed a large portion of the outdated, unmaintained code. LibreSSL will enable multiple-OS support once the code has been “refactored, rewritten, and fixed enough…so we have a stable baseline that we trust and can be maintained/improved,” according to the barebones LibreSSL website.
In an interview with ZDNet, OpenBSD founder Theo de Raadt said the LibreSSL project had already removed 90,000 lines of C code and 150,000 lines of content.
“Some of that is indentation, because we are trying to make the code more comprehensible,” he said. “Ninety-nine point nine nine percent of the community does not care for VMS support, and 98% do not care for Windows support. They care for POSIX support so that the Unix and Unix derivatives can run. They don’t care for FIPS. Code must be simple. Even after all those changes, the codebase is still API compatible. Our entire ports tree (8,700 applications) continues to compile and work after all these changes.”
(Related: OpenSSL’s bleeding heart)
OpenBSD is an open-source Unix-like OS originally developed at the University of California, Berkeley. The volunteer-driven software group is also behind projects such as OpenSSH, OpenBGPD, OpenNTPD and OpenSMTPD.
Before LibreSSL opens to full support, OpenBSD plans to put the “right” portability team in place to make sure the code is regularly maintained and never falls into the sort of disrepair that led to Heartbleed. It is also asking for funding to help complete the project.