plans on incorporating LibreSSL

[timkuijsten]

Is there any experience with or are there any plans on replacing OpenSSL with the leaner and meaner LibreSSL with it's new libtls API now that both io.js and LibreSSL have there first releases out?

[rvagg]

Here's something for y'all to play with if you have the interest and time in rounding it out: https://github.com/nodejs/node/pull/9376 — most of the way to supporting LibreSSL but still a few pieces not quite working. No guarantee that this'll ever get merged mind you.

[sam-github]

Node would be the only package on those systems affected by all OpenSSL vulnerabilities, and would need to get security updates every time because it uses a bundled OpenSSL library so updating the system's OpenSSL would not be enough.

@rsp node can be built against the system OpenSSL, it doesn't have to build against the builtin

[rofl0r]

even with core initiative financial support, openssl is still a mess, bug reports get ignored since years, for example openssl still does not build against musl libc even though i reported the bugs with attached patches in 2011(!), and they have an idiotic perl-based build system, that's ultra-slow and unwanted because we dont want to have to pull perl dependencies into our distro to build such a core piece of infrastructure. since libressl uses a non-retarded standard autoconf build system, it builds in less than half of the time that openssl needs. additionally libressl is much more secure, there have been numerous openssl bugs now libressl was not vulnerable to. the only APIs that libressl removed are those that are insecure and should not be used. so you guys would be better off not using them as well, and then nodejs build would work automatically against libressl, openssl, and everyone else. you really should'nt be the only major hurdle in the way of users that want to replace the ever-broken openssl with something better.

[llacroix]

Would be great to see something advancing here. It's been 2 years since last comment.

[JoeUser78]

Another year and still no news?

[qbit]

Hack up or put up!

[rsp]

@qbit I believe @Gottox had a working implementation some time ago so the question by @JoeUser78 is not unreasonable.

[servantoftestator]

Posting now that libressl has removed the functions neccessary for this ugly hack to work as of 3.9.0 . Strange how github won't let me upload this... https://pastebin.com/AhK7ynSu

Of note; SetRsaOaepLabel is probably leaking memory using libre or openssl. This patch is a pile of miserable hacks from various sources. The functionality of nodejs-20.11.1 was tested against building recent versions of firefox and invoking via commandline, which was found working.