Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 15-Jan-2026 08:54:33 JST Soatok Dreamseeker

   This is a must-read.

   https://cryptography.io/en/latest/statements/state-of-openssl/

   #python #cryptography #crypto #openssl #opensource

   • Embed this notice
     ticho (ticho@mas.to)'s status on Thursday, 15-Jan-2026 09:45:08 JST ticho

     in reply to

     @soatok Holy crap on a cracker, I knew things at OpenSSL were bad, but *this* bad? 🤔

   • Embed this notice
     Millie (millie@infosec.exchange)'s status on Thursday, 15-Jan-2026 09:45:23 JST Millie

     in reply to

     @soatok I've neither been a fan of the python cryptography library nor OpenSSL, but this was an extremely refreshing read. I'm happy someone else has caught up on the substantial problems with OpenSSL. Thank you for sharing!

   • Embed this notice
     Botch Frivarg (deetwenty@todon.nl)'s status on Thursday, 15-Jan-2026 21:04:55 JST Botch Frivarg

     in reply to

     @soatok I've read it multiple times now and each time baffled at the OSSL_PARAM thing. The given reason (having the same ABI for different algorithms) is not a great reason for adding this much complexity, and any other reason I can think of (ABI compatibility between versions) can be done in less complex and error prone ways. It feels like the kind of solution someone comes up with who wants to show just how clever they are.

   • Embed this notice
     ティージェーグレェ (teajaygrey@snac.bsd.cafe)'s status on Thursday, 15-Jan-2026 21:05:55 JST ティージェーグレェ

     in reply to
     Ah wow:
     
     "Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL."
     
     As one of MacPorts' LibreSSL maintainers, this is vaguely heartening, but also, stresses me out a bit more, since I think there are around 600-800 Portfiles that can probably be modified to use the dylib approach (something similar to adding this line to the Portfile:
     
     depends_lib path:lib/libssl.dylib:openssl \
     
     which facilitates MacPorts to defaulting to whatever TLS library is installed, and if that is LibreSSL as I do from a fresh MacPorts install, great!) but I haven't gotten around to modifying and testing those hundreds of Portfiles, let alone submitting Pull Requests which have gotten merged, even though it's been in the back of my mind for years and AFAIK, there are Trac issues for MacPorts that predate my helping out as a maintainer which express similar desires for more harmonious and widespread LibreSSL coexistence.
     
     As it stands, I already feel as if I am burning the candle at both ends while contending with homelessness, over $12,000 USD in debt on my credit card and a paucity of income relative to my living expenses.
     
     I'm also really not a fan of Python (though I admit, the last time it was dragged in as some dependency during an installation of something, at least it didn't try to install OpenSSL, as sometimes happens with some MacPorts), to understate it.
     
     But y'know, cool! I think? Maybe?
     
     I'm also, more or less certain that rpki-client prefers LibreSSL (no surprise, I think more or less all OpenBSD related projects do), but in the release notes for 9.7 (for which I recently submitted a Pull Request to update MacPorts' version to, so they're sort of fresh in my memory) there was mention of OpenSSL 4, which I guess is looming? Clemens also recently posted something to macports-dev about OpenSSL 3.6, and I admit, I pay less close attention to OpenSSL, but at least got the sense that other TLS library efforts are ongoing.
     
     I probably don't want to know the answer to how many are using AWS-LC; I'd be vaguely curious how widely used BoringSSL is these days. Apple switched to LibreSSL an awfully long time ago now, but they seem as if they drag their feet on updating it and at the moment on macOS 26.2 it looks as if Apple are still shipping LibreSSL 3.3.6 (from March 15, 2022) whereas I'm running 4.2.1 (from October 30th, 2025, only three years and change more recent!) via MacPorts.
     
     Having written as much, last year I think I saw yet another fork of OpenSSL and I may have even created a Trac issue to begin exploring it, but I can't remember the name of it off the top of my head at the moment and even after reading the slide deck from the conference where it was presented I think I had more questions than answers as to why it even came into existence.
     
   • Embed this notice
     fnord (fnrd@toots.nu)'s status on Thursday, 15-Jan-2026 21:34:57 JST fnord

     in reply to

     @soatok Good read.
     "We do not fully understand the motivations that led to the public APIs and internal complexity we’ve described here. We’ve done our best to reverse engineer them by asking “what would motivate someone to do this” and often we’ve found ourselves coming up short."
     The purpose of the system is what it does. Cui bono?