Cryptographic Libraries

Cryptographic Libraries such as OpenSSL provide the utilities which provide encryption.


Modules provide integration between applications which dont make calls directly to OpenSSL, such as mod_ssl which provides the intergration between Apache and OpenSSL.


OpenSSL is the defacto standard for providing cryptographic functions in Linux. However in the last few years it has had bad track record, I wrote an blog rant a few years back after heartbleed and since then the blood letting has continued. The problems will of course continue to be discovered in not just software but the concepts and implementation of all aspects. Because its impossible to analyse every new concept, rather time is only allocated to auditing whats actually being actively used

There are many many more vulnerbilities to be discovered in the implementation of everything from client to server, the design of ciphers & protocols will be untrusted as new attacks and computing power changes, therefore its important in my view to limit risk by multiple methods.

I have migrated to LibreSSL however there are problems in ALL software.

OpenSSL Drop In Alternatives

OpenSSL Full Alternatives

Install LibreSSL on FreeBSD 10

LibreSSL is very easy to install on FreeBSD, if you use OpenBSD it is the default library. Using LibreSSL gives you the ability to run Chacha20-poly1305, and has done since well before OpenSSL. While it is a fork of OpenSSL, a lot of defunct code has been removed. Its fully compatible with NGINX and I will test OpenVPN shortly however a cipher list displays chacha.

Install LibreSSL on FreeBSD10 via Ports
portsnap fetch && portsnap extract (use this if you havnt used ports before)
or portsnap fetch && portsnap update (use this update the new changes)
cd /usr/ports/security/libressl
make install clean (go ahead and select defaults)
which openssl reveals that "/usr/bin/openssl" is the OpenSSL system default
/usr/local/bin/openssl version is LibreSSL. Installs will use this automatically.
cd /usr/ports/www/nginx
make install clean (select your desired options - include SSL/SPDY or HTTP2)
nginx -V will display:
nginx version: nginx/1.8.1
built with LibreSSL 2.2.6
TLS SNI support enabled

and youre all done!

LibreSSL Application Compatibility

  • Postfix/Dovecot: LibreSSL appears to be incompatible. Initial binding failed with errors, and couldnt get a smtp helo back (on freebsd via packages, havnt tried ports). Theres probably something Ive missed so when i find that, i will update this (i was using a custom cipher list so its most likely that)
  • Nginx: LibreSSL works PERFECTLY
  • Apache: LibreSSL works PERFECTLY