LibreSSL: a clean version of OpenSSL (the OpenBSD project)

Participants in the OpenBSD project who developed the same-name operating system, as well as various tools, such as OpenSSH, OpenBGPD, OpenNTPD, and OpenSMTPD, launched the LibreSSL project. This is a cleared of unnecessary code, a simpler version of OpenSSL.

Theo de Raadt, the founder and project manager of OpenBSD and OpenSSH, said that they had already managed to get rid of about 90,000 lines of C code and 150,000 lines of content in general. Support for MacOS, Netware, OS / 2, VMS and Windows has been removed, since all this is needed by very few people.

“We are trying to make the code more understandable. 99.99% of community members do not need VMS support, and 98% do not need Windows support, says Theo de Raadt. “They need POSIX support so that they can run Unix and Unix derivatives.” People don't care about FIPS. The code should be simple. Even after all the changes, the code base is still compatible with the API. Our entire collection of ports (8700 applications) continues to compile and work, after all the changes. "

OpenSSL is considered the standard library for cryptographic protection of traffic using SSL / TLS protocols. But the reputation of this program turned out to be heavily damaged by the Heartbleed bug. As it turned out, about two thirds of the “protected” Internet sites were open for listening in the last two years. Experts suggest that the leading intelligence agencies of the world learned about this vulnerability within a few weeks after its appearance in 2012, because special services are working in the special services to search for bugs in open source programs.
')

Workplace employee of the headquarters of the NSA in Fort Meade (MD)

The incident caused widespread criticism of the quality of OpenSSL code, poorly documented and sometimes illiterately written, see the article “OpenSSL wrote monkeys” .

The LibreSSL project should be a worthy alternative. Among the fragments that were removed in the OpenSSL fork, is the code that the OpenSSL developers themselves planned to remove, but did not.