#OpenBSD 7.7 has been released (#BSD / #NetBSD / #386BSD / #Unix / #LibreSSL / #OpenSSH / #OpenBGPD / #OpenSMTPD / #OpenNTPD / #OpenIKED / #rpkiClient / #mandoc) https://openbsd.org/

Released: #swad v0.1

Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!

swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.

Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful

If you want to know more, read here:
https://github.com/Zirias/swad

https://x.com/openbsd/status/1889330772399501381

LibreSSL is not affected by the OpenSSL vulnerabilities announced today.

Big performance win in #LibreSSL thanks to tb@! CRLs are now cached in the issuer cache, reducing redundant signature verification. This speeds up workloads like rpki-client, where a single (CA, CRL) pair could eat 20-25% of runtime—now 10x faster! https://marc.info/?l=openbsd-cvs&m=173900927421446&w=2

LibreSSL 4.0.0 Released https://www.undeadly.org/cgi?action=article;sid=20241015084629 #openbsd #libressl #openssl #ssl #tls #https #crypto #cryptography #security #realcrypto

Finally a #poudriere bulk build of my package list succeeded for #FreeBSD 14.1. Quite some #libressl fallout to fix (I still refuse to use OpenSSL ...) ... and a few other mysterious issues.

Testing it on my desktop right now. #ZFS #bootenvironments are still AWESOME! Did just the following:

# bectl create new
# bectl mount new /mnt/tmp
# cd /usr/src
# make BATCH_DELETE_OLD_FILES=yes DESTDIR=/mnt/tmp installkernel installworld delete-old delete-old-libs
# etcupdate -D /mnt/tmp
# etcupdate resolve -D /mnt/tmp
# pkg -c /mnt/tmp upgrade -f
# pkg -c /mnt/tmp autoremove
# bectl umount new
# bectl activate -t new

Full upgrade without touching the running installation, one single reboot to test it! Yes, for a major upgrade, running was FreeBSD 13.3

Finishing up some longstanding work started in 2022, Bob Beck committed a patch enabling namespaced (symbol hiding) builds by default for libssl and libcrypto for #LibreSSL in #OpenBSD -current.

beck@ modified src/lib/libcrypto/Makefile: Enable namespaced builds by default for libssl and libcrypto.

Some further refinements will happen to the build process to automatically generate the Symbols.namespace file, and to remove our last public unhidden symbol (which was a mistake, but waits for a major bump to get removed)

But for now everything should be using this.

ok tb@

In addition to a flurry of commits over the years hiding symbols, the initial commit notes:

Fully explained in libcrypto/README. TL;DR make sure libcrypto and libssl's function calls internally and to each other are via symbol names that won't get overridden by linking other libraries.

Mostly work by guenther@, which will currently be gated behind a build setting NAMESPACE=yes. once we convert all the symbols to his method we will do a major bump and pick up the changes.

ok tb@ jsing@

https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/hidden/README?rev=HEAD&content-type=text/plain

#OpenBSD uses an explicit list of symbols exported to help avoid unintentional namespace pollution for a number of base libraries, starting with libc in 2015.

https://marc.info/?l=openbsd-cvs&m=144027244216927&w=2

LibreSSL version 3.9.2 released https://www.undeadly.org/cgi?action=article;sid=20240512115958 #openbsd #libressl #tls #ssl #security #cryptograpby #crypto

OK, updated the MacPorts got 0.98.2 PR here:

https://github.com/macports/macports-ports/pull/23716

Which, is mostly referring to more voluminous stuff I detailed in Trac here:

https://trac.macports.org/ticket/69827#comment:1

My most recent iteration of the Portfile, does at least:

1. install in a clean MacPorts trees (which is kind of close to what GitHub Actions CI will do, so presumably this would pass that).

2. smart enough to pick the correct variant if LibreSSL is installed and seems to (mostly) work.

However, it fails the %port -vst install PR prerequisite.

Also, the dependency walk it does if %port install +libressl is explicitly stated, is completely friggin bonkers and will, predictably, fail, because it wants to install libressl and openssl3 simultaneously (though it doesn't have libretls as a dependency at least I guess that is almost a good thing?)

Feeling very lost.

Goal: Get some #letsencrypt certificate obtained with #uacme deployed on some #Windows box

Step 1: Ok, this probably works best with #Powershell (which I don't really like ...)

Step 2: There's no #FreeBSD port ... but hey, there's now a FreeBSD port of #dotnet, let's try to "just" build Powershell using that.

Step 3: Hell why does it fail to build. Oh, System.Security.Cryptography.Native doesn't play well with #LibreSSL

Patch and retry, I guess I'll take some sleep now first. Bah!

(there's some irony in running into OpenSSL/LibreSSL issues when trying to deploy TLS certificates ...)

The maintainers of Dragora, a fully free distro that uses #LinuxLibre and #LibreSSL, have recently announced the latest release "dragora 3.0-beta2." Read the release notes and download it for yourself: https://u.fsf.org/3zk

The maintainers of Dragora, a fully free distro that uses #LinuxLibre and #LibreSSL, have recently announced the latest release "dragora 3.0-beta2." Read the release notes and download it for yourself: https://u.fsf.org/3zk

This whole #urllib3 / #OpenSSL situation is getting absurd.

I don't have sympathy for #OpenBSD or #LibreSSL. However, I can understand that they had good reasons to fork OpenSSL, and that switching back today would be hard.

I can understand projects refusing to officially declare support and rejecting workarounds. But pushing LibreSSL hate to the point of blocking #Python implementations that don't link to OpenSSL is just horrible. Users get in the crossfire, again.

https://github.com/urllib3/urllib3/issues/2168