Original author(s) | The OpenSSL Project |
---|---|
Developer(s) | The OpenBSD Project |
Initial release | 2.0.0 / 11 July 2014 |
Stable release |
2.4.5 (February 1, 2017 |
Preview release | 2.5.1 (February 1, 2017 | )
Repository | github |
Development status | Active |
Written in | C and assembly |
Operating system | OpenBSD, FreeBSD, NetBSD, Linux, HP-UX, Solaris, OS X, Windows and others |
Type | Security library |
License | Apache license 1.0, 4-clause BSD License, ISC license, and some are public domain |
Website | www |
2.4.5 (February 1, 2017
LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It was forked from the OpenSSL cryptographic software library in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, with the aim of refactoring the OpenSSL code so as to provide a more secure implementation.
LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch and will follow the security guidelines used elsewhere in the OpenBSD project.
After the Heartbleed bug in OpenSSL, the OpenBSD team audited the code afresh, and quickly realised they would need to maintain a fork themselves. The libressl.org domain was registered on 11 April 2014; the project announced the name on 22 April 2014.
In the first week of code pruning, more than 90,000 lines of C code were removed. Older or unused code has been removed, and support for some older or now-rare operating systems removed. LibreSSL was initially being developed as an intended replacement for OpenSSL in OpenBSD 5.6, and was then ported back to other platforms once a stripped-down version of the library was stable. As of April 2014[update], the project was seeking a "stable commitment" of external funding.
On 17 May 2014, Bob Beck presented "LibreSSL: The first 30 days, and what the Future Holds" during the 2014 BSDCan conference, in which he described the progress made in the first month, encountered issues, and implemented changes.
On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance, LibreSSL was not; Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.