What are the main advantages of using LibreSSL versus OpenSSL

Question

What are the main advantages of using LibreSSL vs OpenSSL?

As I understood LibreSSL is a fork of OpenSSL:

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

Seems like a good idea to use it.

Is it this library widely used? Why would server administrators choose LibreSSL over OpenSSL?

Take a look at these slides for your second question [LibreSSL, and the new libtls AP](http://www.openbsd.org/papers/libtls-fsec-2015/mgp00001.html) — Silverfox, Feb 02 '16 at 17:11
Don't forget PolarSSL: https://tls.mbed.org/openssl-alternative — Anti-weakpasswords, Feb 03 '16 at 01:26

score 54 · Accepted Answer · answered Feb 02 '16 at 17:20

There is a very extensive article at Wikipedia and it does not make sense to reiterate everything here. But to give you some highlights:

It replaces OpenSSL on OpenBSD, OS X since 10.11 and on some other systems.
It started with throwing away lots of stuff which was considered useless for the target platforms or insecure by design and it also added some more secure defaults.
The result of this is that from the 6 critical vulnerabilities in OpenSSL since the fork none affected LibreSSL.

Why would server administrators choose LibreSSL over OpenSSL?

If anybody cares about security or wants to better sleep at night and not care about the next OpenSSL vulnerability the choice should be clear.

I specifically am using LibreSSL as libtls makes implementing secure TLS so, freaking easy! No longer needing to go through the horrific OpenSSL documentation, one small manpage for libtls tells you exactly everything you need to know — Antwan van Houdt, Nov 21 '17 at 12:03

score 1 · Answer 2 · answered Nov 18 '21 at 23:49

While the OpenSSL project was busy missing the OpenSSL 3 release date by several years, firing multiple project managers in the process, the LibreSSL developers have started to replace large swaths of the OpenSSL codebase with new ISC-licensed code, while maintaining compatibility with the majority of OpenSSL 1.0 and 1.1 APIs. LibreSSL also has not fired any project managers or missed any key deadlines. And, as noted above, the LibreSSL developers are willing to collaborate on missing functionality as needed. I do not think we can expect such levels of collaboration with the OpenSSL team, even if their project had healthy governance: they appear to have intentionally installed multiple layers of red tape between themselves and the community.

FIPS mode One major issue that would require addressing is that LibreSSL has removed FIPS mode, while we have end users who require FIPS mode for compliance reasons. One possibility could be to reintroduce FIPS mode as a set of configurations which restrict ciphersuites to ones that have been approved for use under FIPS. In the past, however, this led to OpenSSL being used for some packages in lieu of LibreSSL so that those users could make use of a FIPS module. Discussing FIPS compliance functionality with LibreSSL developers would be considered a task item if we looked in this direction

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). — Community, Nov 19 '21 at 02:31

What are the main advantages of using LibreSSL versus OpenSSL

2 Answers2

Linked