View Issue Details

IDProjectCategoryView StatusLast Update
0004998libmicrohttpdHTTPS (SSL)public2019-02-14 10:33
ReportersilvioprogAssigned Tosilvioprog 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status closedResolutionwon't fix 
Product Versioncurrent SVN 
Target Versioncurrent SVNFixed in Version0.9.63 
Summary0004998: LibreSSL support
DescriptionHello,

I've used Let's Encrypt free automated open CA (https://letsencrypt.org) to build HTTPS servers and I've used acme-client client, that is written in C, and found the following interesting message on its home page (https://kristaps.bsd.lv/acme-client):

"Be up-front about security: OpenSSL is known to have issues (https://www.openssl.org/news/vulnerabilities.html), you can't trust what comes down the pipe, and your private key's integrity is a hard requirement. Not a situation where you can be careless. Acme-client is a client for Let's Encrypt users, but one designed for security. No Python. No Ruby. No Bash. A straightforward, open source (https://github.com/kristapsdz/acme-client/blob/master/LICENSE.md) implementation in C that isolates each step of the sequence."

So, I'm opening this feature request because it would be nice to have LibreSSL support in MHD, and it seems simpler than OpenSSL to be implemented.

LibreSSL at wikipedia: https://en.wikipedia.org/wiki/LibreSSL
Official LibreSSL page: https://www.libressl.org
Additional InformationRelated to: https://gnunet.org/bugs/view.php?id=4917 .
Tagsssl https

Relationships

related to 0004917 new OpenSSL support 
related to 0004918 new mbed TLS support 

Activities

ng0

2017-09-27 11:48

reporter   ~0012447

I doubt that the statement of LibreSSL is still an issue.

LibreSSL was started when Heartbleed was around.

Now this isn't a statement based on my experience but someone I know told me "OpenBSD might have good software but they also ignore lots of modern standards" from an independent audit they made. OpenBSD also has regular problems with financial support. In contrast to this, OpenSSL is well established and has long-term financial support.

It makes sense to support both of them, not to limit oneself to OpenSSL OR LibreSSL.
This is possible, and should be the prefered solution as there are systems that have to decide on one of them.

silvioprog

2018-02-01 00:02

developer   ~0012846

Totally agreed.

I'm inclined to close this issue and open a new one with "[enhancement] Add support for other SSL libraries (at least mbed, openssl)".

What do you thing?

mwarning

2019-01-09 20:02

reporter   ~0013450

For the record. This is also an issue on VoidLinux:
```
xbps-install libmicrohttpd-devel
libcrypto44-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libssl46-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libtls18-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
Transaction aborted due to unresolved dependencies.
```

Christian Grothoff

2019-02-14 10:33

manager   ~0013741

Agreed, let's close this one, we have other bugs for other SSL libs that are likely more important.

Issue History

Date Modified Username Field Change
2017-04-26 17:21 silvioprog New Issue
2017-04-26 17:21 silvioprog Tag Attached: ssl https
2017-04-26 17:22 silvioprog Relationship added related to 0004917
2017-09-27 11:48 ng0 Note Added: 0012447
2018-02-01 00:02 silvioprog Note Added: 0012846
2018-02-01 00:02 silvioprog Assigned To => silvioprog
2018-02-01 00:02 silvioprog Status new => feedback
2018-02-01 00:08 silvioprog Relationship added related to 0004918
2019-01-09 20:02 mwarning Note Added: 0013450
2019-02-14 10:33 Christian Grothoff Status feedback => closed
2019-02-14 10:33 Christian Grothoff Resolution open => won't fix
2019-02-14 10:33 Christian Grothoff Fixed in Version => 0.9.63
2019-02-14 10:33 Christian Grothoff Note Added: 0013741