I'm working on a fun little interesting project - LibreSSL for CentOS 7.
Part of the motivation is TLS 1.3 may be finalized soon, when it is I would like to support it on my web servers before CentOS 8... but part of the motivation, it is frustrating how often I come across SSL servers with modern OpenSSL but insecure protocols and cipher suites are enabled simply because the webmaster didn't specifically disable them in the Apache configuration. LibreSSL helps resolve that problem because it has ripped a lot of those out.
http://awel.domblogger.net/7/libre/x86_64/repoview/
http://awel.domblogger.net/7/libre/src/repoview/
That's what I've got right now - httpd has a minor packaging error that causes it not to start (I'll fix that by this afternoon)
No repo file and NOT production ready by any stretch of the imagination.
When there is a repo file, for things like net-snmp it probably by default will exclude it, it is only there because stock net-snmp-devel is a BuildRequires for my php build that pulls in openssl-devel but openssl-devel conflicts with libressl-devel.
So to building php against libressl would fail in mock if I didn't rebuild net-snmp to use libressl. But on an installed server, even if using the php interface to net-snmp, it probably would be better to have the CentOS net-snmp (should be ABI compatible)
MariaDB - it builds and at least superficially works but I had to disable six tests in the test suite - all SSL tests - to get the very extensive test suite to pass.
Those are things I have to investigate, whether the tests are failing because of a LibreSSL issue or bugs in the tests (e.g. using features of OpenSSL not available in LibreSSL)
LibreSSL is suppose to be API compatible with OpenSSL 1.1 but if a test uses RC4 for example it will fail because LibreSSL has ripped that out.
Anyway it is a fun thing to be working on, hopefully soon I'll have a CentOS 7 vm running apache with mod_ssl linked against it to play with public.
I'm tending to use latest versions because they are less likely to have compile issues, some of the bugs fixed by the OpenBSD (and other) developers in those packages are in the upstream sources.
-=-
Right now using php 5.6.11 (I use that on my production servers anyway) - not in the repos linked yet but it builds - but I'm tempted to go all in and start playing with the php 7 test releases. We'll see.
-=-
Just a fun little thing I'm working on, though some might be interested.
CentOS - I use it because I want stability over bleeding edge, but php is always something where I then built bleeding edge on top of CentOS - and now, there are so many upsides to LibreSSL in my mind, waiting for RHEL / CentOS 8 (if it even makes it into them which is not a sure thing) I just don't personally want to do.
Other then libressl-devel it should install side by side with openssl without conflict.
LibreSSL for CentOS 7
Re: LibreSSL for CentOS 7
> not in the repos linked yet but it builds
Note that at least 1 repo propose 5.6.12 and 7.0.0beta3 RPM
Note that at least 1 repo propose 5.6.12 and 7.0.0beta3 RPM
-
AliceWonder
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: LibreSSL for CentOS 7
Is 5.6.12 out?
not mentioned on the php frontpage. It's about time for it though, been about a month.
not mentioned on the php frontpage. It's about time for it though, been about a month.
-
AliceWonder
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: LibreSSL for CentOS 7
Just a note -
The %post scriplet in the mod_ssl package is broken.
The issue being that options that CentOS /usr/bin/openssl accepts don't work with LibreSSL
That's exactly why my libressl rpm renames it's openssl command to libressl - so that it won't ever break scripts expecting certain behavior.
The %post scriptlet only broke because I call libressl instead of openssl - but I'm fixing it.
Both generation of the private key for localhost and generation of the self-signed cert broke.
Generation of the private key is fixed, self-signed cert not yet - that may actually be caused by the configuration files not having enough defined. The v3_req extension is not defined.
It will get done, but first I need a beer and a nap. I think I have a weird sense of what fun is.
The %post scriplet in the mod_ssl package is broken.
The issue being that options that CentOS /usr/bin/openssl accepts don't work with LibreSSL
That's exactly why my libressl rpm renames it's openssl command to libressl - so that it won't ever break scripts expecting certain behavior.
The %post scriptlet only broke because I call libressl instead of openssl - but I'm fixing it.
Both generation of the private key for localhost and generation of the self-signed cert broke.
Generation of the private key is fixed, self-signed cert not yet - that may actually be caused by the configuration files not having enough defined. The v3_req extension is not defined.
It will get done, but first I need a beer and a nap. I think I have a weird sense of what fun is.
-
AliceWonder
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: LibreSSL for CentOS 7
http://awel.domblogger.net/7/libre/x86_ ... lease.html
That has a yum repo file.
Still use at your own risk.
That has a yum repo file.
Still use at your own risk.
-
AliceWonder
- Posts: 49
- Joined: 2014/09/19 19:36:25
Re: LibreSSL for CentOS 7
https://librelamp.com/
There it is - website isn't finished yet, but the home page and the Install page are (mostly) done.
And yes, it is powered by LibreLAMP running on CentOS 7
There it is - website isn't finished yet, but the home page and the Install page are (mostly) done.
And yes, it is powered by LibreLAMP running on CentOS 7