View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004998||libmicrohttpd||HTTPS (SSL)||public||2017-04-26 17:21||2019-02-14 10:33|
|Priority||normal||Severity||feature||Reproducibility||have not tried|
|Product Version||current SVN|
|Target Version||current SVN||Fixed in Version||0.9.63|
|Summary||0004998: LibreSSL support|
I've used Let's Encrypt free automated open CA (https://letsencrypt.org) to build HTTPS servers and I've used acme-client client, that is written in C, and found the following interesting message on its home page (https://kristaps.bsd.lv/acme-client):
"Be up-front about security: OpenSSL is known to have issues (https://www.openssl.org/news/vulnerabilities.html), you can't trust what comes down the pipe, and your private key's integrity is a hard requirement. Not a situation where you can be careless. Acme-client is a client for Let's Encrypt users, but one designed for security. No Python. No Ruby. No Bash. A straightforward, open source (https://github.com/kristapsdz/acme-client/blob/master/LICENSE.md) implementation in C that isolates each step of the sequence."
So, I'm opening this feature request because it would be nice to have LibreSSL support in MHD, and it seems simpler than OpenSSL to be implemented.
LibreSSL at wikipedia: https://en.wikipedia.org/wiki/LibreSSL
Official LibreSSL page: https://www.libressl.org
|Additional Information||Related to: https://gnunet.org/bugs/view.php?id=4917 .|
I doubt that the statement of LibreSSL is still an issue.
LibreSSL was started when Heartbleed was around.
Now this isn't a statement based on my experience but someone I know told me "OpenBSD might have good software but they also ignore lots of modern standards" from an independent audit they made. OpenBSD also has regular problems with financial support. In contrast to this, OpenSSL is well established and has long-term financial support.
It makes sense to support both of them, not to limit oneself to OpenSSL OR LibreSSL.
This is possible, and should be the prefered solution as there are systems that have to decide on one of them.
I'm inclined to close this issue and open a new one with "[enhancement] Add support for other SSL libraries (at least mbed, openssl)".
What do you thing?
For the record. This is also an issue on VoidLinux:
libcrypto44-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libssl46-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libtls18-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
Transaction aborted due to unresolved dependencies.
||Agreed, let's close this one, we have other bugs for other SSL libs that are likely more important.|
|2017-04-26 17:21||silvioprog||New Issue|
|2017-04-26 17:21||silvioprog||Tag Attached: ssl https|
|2017-04-26 17:22||silvioprog||Relationship added||related to 0004917|
|2017-09-27 11:48||ng0||Note Added: 0012447|
|2018-02-01 00:02||silvioprog||Note Added: 0012846|
|2018-02-01 00:02||silvioprog||Assigned To||=> silvioprog|
|2018-02-01 00:02||silvioprog||Status||new => feedback|
|2018-02-01 00:08||silvioprog||Relationship added||related to 0004918|
|2019-01-09 20:02||mwarning||Note Added: 0013450|
|2019-02-14 10:33||Christian Grothoff||Status||feedback => closed|
|2019-02-14 10:33||Christian Grothoff||Resolution||open => won't fix|
|2019-02-14 10:33||Christian Grothoff||Fixed in Version||=> 0.9.63|
|2019-02-14 10:33||Christian Grothoff||Note Added: 0013741|