Shawn Webb
#BearSSL developer prefers constant-time algorithms, which is a good thing (albeit slower).
Jun 7, 2017 at 5:41pmWeb
Show threadNow @[email protected]Jun 7, 2017
@lattera Why didn't anyone tell me that this would be happening. Now extra sad not being there...
Show threadShawn WebbJun 7, 2017

@spil yeah, looks like #FreeBSD is investigating replacing #OpenSSL in base with #BearSSL.

I think BearSSL has some good ideas (preferring constant-time crypto). But I'm not sure it's ready to replace OpenSSL (or even a good idea to do so).

Show threadmulanderJun 7, 2017
@lattera @spil they will end up with split userland with a base ssl and ports ssl (like they have now with openssl). They should just grab libressl for both base and ports.
Show threadShawn WebbJun 7, 2017
@mulander @spil Completely agreed. There's at least two downstream distributions of #FreeBSD (#HardenedBSD and #TrueOS) that have LibreSSL in base.
Show threadShawn WebbJun 7, 2017
@spil @mulander In fact, @mwlucas recommends #HardenedBSD or #TrueOS (and _not_ #FreeBSD) if you want to run relayd on a FreeBSD-based system, due to us having #LibreSSL in base as a first-class citizen.
Show threadNow @[email protected]Jun 7, 2017
@mulander @lattera Too many utilities in base require crypto to make this simple. Heimdal, ppp and wpa-supplicant already required patching for LibreSSL. Can't imagine what it'd take to adapt for BearSSL in base. ldns, subversion, openssh, sendmail...
That takes considerably more skill than I currently have.