2019-01-24 12:44 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0004998libmicrohttpdHTTPS (SSL)public2019-01-09 20:02
Reportersilvioprog 
Assigned Tosilvioprog 
PrioritynormalSeverityfeatureReproducibilityhave not tried
StatusfeedbackResolutionopen 
Product Versioncurrent SVN 
Target Versioncurrent SVNFixed in Version 
Summary0004998: LibreSSL support
DescriptionHello,

I've used Let's Encrypt free automated open CA (https://letsencrypt.org) to build HTTPS servers and I've used acme-client client, that is written in C, and found the following interesting message on its home page (https://kristaps.bsd.lv/acme-client):

"Be up-front about security: OpenSSL is known to have issues (https://www.openssl.org/news/vulnerabilities.html), you can't trust what comes down the pipe, and your private key's integrity is a hard requirement. Not a situation where you can be careless. Acme-client is a client for Let's Encrypt users, but one designed for security. No Python. No Ruby. No Bash. A straightforward, open source (https://github.com/kristapsdz/acme-client/blob/master/LICENSE.md) implementation in C that isolates each step of the sequence."

So, I'm opening this feature request because it would be nice to have LibreSSL support in MHD, and it seems simpler than OpenSSL to be implemented.

LibreSSL at wikipedia: https://en.wikipedia.org/wiki/LibreSSL
Official LibreSSL page: https://www.libressl.org
Additional InformationRelated to: https://gnunet.org/bugs/view.php?id=4917 .
Tagsssl https
Attached Files

-Relationships Relation Graph ] Dependency Graph ]
related to 0004917new OpenSSL support 
related to 0004918new mbed TLS support 
+Relationships

-Notes

~0012447

ng0 (reporter)

I doubt that the statement of LibreSSL is still an issue.

LibreSSL was started when Heartbleed was around.

Now this isn't a statement based on my experience but someone I know told me "OpenBSD might have good software but they also ignore lots of modern standards" from an independent audit they made. OpenBSD also has regular problems with financial support. In contrast to this, OpenSSL is well established and has long-term financial support.

It makes sense to support both of them, not to limit oneself to OpenSSL OR LibreSSL.
This is possible, and should be the prefered solution as there are systems that have to decide on one of them.

~0012846

silvioprog (developer)

Totally agreed.

I'm inclined to close this issue and open a new one with "[enhancement] Add support for other SSL libraries (at least mbed, openssl)".

What do you thing?

~0013450

mwarning (reporter)

For the record. This is also an issue on VoidLinux:
```
xbps-install libmicrohttpd-devel
libcrypto44-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libssl46-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
libtls18-2.8.3_1 (update) breaks installed pkg `libressl-2.8.2_1'
Transaction aborted due to unresolved dependencies.
```
+Notes

-Issue History
Date Modified Username Field Change
2017-04-26 17:21 silvioprog New Issue
2017-04-26 17:21 silvioprog Tag Attached: ssl https
2017-04-26 17:22 silvioprog Relationship added related to 0004917
2017-09-27 11:48 ng0 Note Added: 0012447
2018-02-01 00:02 silvioprog Note Added: 0012846
2018-02-01 00:02 silvioprog Assigned To => silvioprog
2018-02-01 00:02 silvioprog Status new => feedback
2018-02-01 00:08 silvioprog Relationship added related to 0004918
2019-01-09 20:02 mwarning Note Added: 0013450
+Issue History