Biz & IT —

OpenSSL code beyond repair, claims creator of “LibreSSL” fork

OpenBSD developers "removed half of the OpenSSL source tree in a week."

OpenSSL code beyond repair, claims creator of “LibreSSL” fork

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

The LibreSSL code base is on OpenBSD.org, and the project is supported financially by the OpenBSD Foundation and OpenBSD Project. LibreSSL has a bare bones website that is intentionally unappealing.

"This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags." In explaining the decision to fork, the site links to a YouTube video of a cover of the Twisted Sister song "We're not gonna take it."

LibreSSL is initially built for OpenBSD and will support multiple operating systems after the code and funding are shored up. The OpenBSD operating system itself was created as a fork of NetBSD in 1995.

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

The OpenBSD team started working on LibreSSL about a week ago, he told Ars.

OpenSSL Software Foundation President Steve Marquess declined comment on LibreSSL, saying, "I haven't had the chance to look at what they're doing so I don't want to comment at this time."

In a blog post last week, Marquess described OpenSSL's struggle to obtain funding and code contributions.

"I’m looking at you, Fortune 1000 companies," Marquess wrote. "The ones who include OpenSSL in your firewall/appliance/cloud/financial/security products that you sell for profit, and/or who use it to secure your internal infrastructure and communications. The ones who don’t have to fund an in-house team of programmers to wrangle crypto code, and who then nag us for free consulting services when you can’t figure out how to use it. The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

As for Heartbleed, "the mystery is not that a few overworked volunteers missed this bug," Marquess wrote. "The mystery is why it hasn’t happened more often."

The Heartbleed flaw, which can expose user passwords and the private encryption keys used to protect websites, was accidentally added to the code by a volunteer contributor and went undetected for two years. There's more information and discussion about the forking of OpenSSL here.

Channel Ars Technica