1. 121
    1. 50

      Changes so far to OpenSSL 1.0.1g since the 11th include:

      • Splitting up libcrypto and libssl build directories
      • Fixing a use-after-free bug
      • Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
      • Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
      • Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
      • Ripping out some windows-specific cruft
      • Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
      • KNF of most C files
      • Removal of weak entropy additions
      • Removal of all heartbeat functionality which resulted in Heartbleed

      Commits are happening pretty fast, but the API is not being changed.

      1. 7

        FYI, I’ve posted a git repo of the changes OpenBSD made to https://github.com/jmhodges/libssl

        Easier to read than digging through cvs per-file histories. It’s a one-time dump for now.

        1. 3

          You can get commit logs for the BSDs at FreshBSD:

          (I had blissfully acclimatised to how much easier it is to read a revision log when you actually have, you know, a revision log, as opposed to trying to piece history together out of file-based logs. Trying to get an idea of what the OpenBSDs are up to was a painful reminder. In CVS it looks like a lot fewer changes than you realise once you look at a revision log. They really are applying that plasma torch fast and thick.)

          Loving the colourful commit messages. “Toss a unifdef -U OPENSSL_SYS_WINDOWS bomb into crypto/bio.” “Go home, VMS, you’re drunk”. “Q: How would you like your lies, sir? A: Rare.” Etc.

          1. 1

            commitid support should help there, but I haven’t been able to turn it on for us yet.

      2. 5

        I hope the new version is called OpenOpenSSL.

        1. 12

          Joking aside, I’d probably vote for OpenTLS.

        2. 4


          1. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
        3. 1

          Haha I thought of that… But I think I like OpenTLS best.

      3. 2

        what’s a “backend engine”? is that just “engine”? if so, i suspect they will keep the engine interface as it’s used by openssh (eg for hardware modules) (if i’m remembering right).

        (i hope this works; i hope the openssl crew can then find some way to switch to this (i think that would be hard even without external pressure from companies that have paid for code that is being stripped, but still, i hope it can happen)),

        1. 4

          All of the engines that interfaced with hardware crypto accelerators. The interface still exists AFAIK, but all of the individual engines are gone.

          1. 2

            wow. all of them indeed. strangely, it looks like the pkcs11 engine was always third party - https://www.opensc-project.org/opensc/wiki/engine_pkcs11

      4. 2

        I think stripping down openssl is a good idea.

        May I propose some more things? Go through the algorithms and identify ones that are basically unused. An example is DSA. Also, it may be debatable to remove algorithms that are generally considered too weak to be used. RC4 comes to mind, which will probably see a deprecation RFC soon.

        1. 3

          I think you will see the OpenBSD developers doing this - they are aggressively attacking the code at the moment.

        2. 1

          Not supporting things like that may prevent adoption for people who are stuck using them for backwards compatibility with older systems.

          Arguably if they don’t have the resources to fix those systems they may not have the resources to switch to this, once it’s usable, anyway. shrug

      5. 1

        Will this make merges of upstream changes significantly more difficult?

        1. 14

          It sounds like they’re not just completely abandoning compatibility with upstream; they’re incinerating compatibility with upstream with a plasma torch.

        2. 5

          Why do you think they have any intention of merging?

          1. 5

            Because they’re smart people and probably learned their lesson after that Frankenstein monster of an Apache they had to solely maintain for so many years before dumping?

            1. 2

              I think they will follow the same policy as for OpenSSH when it comes to providing code to a project that is of no use to them at all.

            2. 1

              It was a fine daemon, really.

              Merging of upstream changes stopped because they switched to a non-free license.

      6. 1

        wow, you weren’t kidding about the “massive”! very exciting stuff, gives me much the same sort of thrill that reading books like “where wizards stay up late” does.

      7. 1

        Congrats, @jcs. I think you’re the first member of the 100 point story club.

    2. 4

      After OpenSSL which other venerable yet dusty codebases deserve the fork/cleanup treatment?

      1. 4

        venerable or vulnerable? :)

        1. 1

          Same thing for me. ;]

        2. 1

          HA that’s pretty good. I was trying to give OpenSSL a slight touch of respect with that adjective. Everyone’s flat-out trashing it so no need for me to pile on there.

          I still think instead of disparaging OpenSSL post-mortem, our time would be better spent turning our eyes to the next one.

          1. 1

            our time would be better spent turning our eyes to the next one.


    3. 1

      Does anyone know how portable Apple’s Secure Transport is to other *nix?

      1. 1

        Not sure, but very little software uses it. Patching the universe of software that uses OpenSSL would be even more work.

    4. 1

      OpenOpenSSL.org is it?