portable
LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to tech@openbsd.org are welcome.
Top Related Projects
TLS/SSL and crypto library
Mirror of BoringSSL
An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
An implementation of the TLS/SSL protocols
A modern, portable, easy to use crypto library.
Quick Overview
LibreSSL is a fork of OpenSSL, created by the OpenBSD project in 2014 with the goal of modernizing the codebase, improving security, and applying best practices to the development process. The portable version aims to bring LibreSSL to other operating systems beyond OpenBSD.
Pros
- Improved security through code cleanup and removal of legacy features
- Regular security audits and quick response to vulnerabilities
- Compatible API with OpenSSL, making it easier to switch for existing projects
- Simplified codebase, making it easier to maintain and audit
Cons
- Smaller developer community compared to OpenSSL
- Some features and algorithms may not be implemented as quickly as in OpenSSL
- Potential compatibility issues with software that relies on OpenSSL-specific features
- Less widespread adoption in enterprise environments
Code Examples
- Initializing SSL context:
#include <tls.h>
struct tls_config *config;
struct tls *ctx;
config = tls_config_new();
ctx = tls_client();
tls_configure(ctx, config);
- Creating a TLS connection:
struct tls *conn;
int fd;
if (tls_connect(ctx, "example.com", "443") != 0) {
fprintf(stderr, "tls_connect error: %s\n", tls_error(ctx));
return 1;
}
- Reading and writing data:
char buf[1024];
ssize_t bytes_read, bytes_written;
bytes_read = tls_read(conn, buf, sizeof(buf));
bytes_written = tls_write(conn, "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n", 36);
Getting Started
To use LibreSSL in your project:
- Install LibreSSL on your system (e.g.,
apt-get install libssl-devon Ubuntu) - Include the necessary headers in your C/C++ code:
#include <tls.h> - Compile your program with the LibreSSL library:
gcc -o myprogram myprogram.c -ltls -lssl -lcrypto
For more detailed information, consult the LibreSSL documentation and man pages.
Competitor Comparisons
TLS/SSL and crypto library
Pros of OpenSSL
- Wider adoption and more extensive ecosystem support
- More frequent updates and feature additions
- Broader platform compatibility
Cons of OpenSSL
- Larger codebase, potentially more complex to maintain
- Historical security vulnerabilities due to legacy code
- Slower to remove deprecated or insecure features
Code Comparison
OpenSSL:
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
int j;
BIO *in;
int ret = 0;
X509 *x = NULL;
LibreSSL:
int
SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
int ret;
BIO *in;
X509 *x = NULL;
LibreSSL's implementation is slightly more concise, reflecting its focus on simplicity and code cleanliness. OpenSSL's version includes an additional variable declaration and a more complex structure, which aligns with its broader feature set and compatibility requirements.
Both projects aim to provide secure cryptographic libraries, but LibreSSL focuses on streamlining and improving security, while OpenSSL maintains a wider range of features and compatibility. The choice between them often depends on specific project requirements and security priorities.
Mirror of BoringSSL
Pros of BoringSSL
- More actively maintained with frequent updates and contributions
- Designed for performance and optimized for modern systems
- Includes additional features and APIs tailored for Google's infrastructure
Cons of BoringSSL
- Less focus on broad compatibility across different platforms
- May have a steeper learning curve due to its specialized nature
- Not intended as a drop-in replacement for OpenSSL in all scenarios
Code Comparison
BoringSSL:
#include <openssl/ssl.h>
SSL_CTX *ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
LibreSSL:
#include <openssl/ssl.h>
SSL_CTX *ctx = SSL_CTX_new(TLSv1_2_method());
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
Both libraries provide similar functionality, but BoringSSL offers more modern APIs and defaults to newer TLS versions. LibreSSL maintains closer compatibility with OpenSSL's API structure.
BoringSSL is tailored for Google's needs and may include optimizations specific to their use cases, while LibreSSL aims for broader compatibility and adherence to OpenSSL's API. Choose based on your project's requirements and target platforms.
An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
Pros of Mbed-TLS
- More portable and lightweight, suitable for embedded systems and IoT devices
- Easier to integrate into existing projects due to its modular design
- Extensive documentation and examples for various use cases
Cons of Mbed-TLS
- Less comprehensive feature set compared to LibreSSL
- May have slower performance for some cryptographic operations
- Smaller community and less frequent updates
Code Comparison
Mbed-TLS (initializing an SSL context):
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
LibreSSL (initializing an SSL context):
SSL_CTX *ctx;
SSL *ssl;
ctx = SSL_CTX_new(TLS_client_method());
ssl = SSL_new(ctx);
SSL_set_connect_state(ssl);
Both libraries provide similar functionality for SSL/TLS operations, but Mbed-TLS focuses on simplicity and portability, while LibreSSL offers a more comprehensive feature set and compatibility with OpenSSL. The choice between them depends on the specific requirements of your project, such as target platform, performance needs, and desired feature set.
The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
Pros of wolfSSL
- Smaller footprint and faster performance, especially on embedded systems
- More extensive hardware cryptography support
- Broader platform compatibility, including RTOS and embedded systems
Cons of wolfSSL
- Less widely adopted compared to LibreSSL
- May require more manual configuration for certain use cases
- Smaller community and ecosystem
Code Comparison
wolfSSL example:
#include <wolfssl/ssl.h>
WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
WOLFSSL* ssl = wolfSSL_new(ctx);
wolfSSL_connect(ssl);
LibreSSL example:
#include <openssl/ssl.h>
SSL_CTX* ctx = SSL_CTX_new(TLSv1_2_client_method());
SSL* ssl = SSL_new(ctx);
SSL_connect(ssl);
Both libraries provide similar APIs, with wolfSSL using its own naming conventions. The core functionality remains comparable, but wolfSSL offers additional options for embedded systems and hardware acceleration.
An implementation of the TLS/SSL protocols
Pros of s2n-tls
- Designed specifically for cloud environments, optimized for AWS services
- Smaller codebase, potentially easier to audit and maintain
- Focuses on a subset of TLS features, reducing complexity
Cons of s2n-tls
- Less comprehensive feature set compared to LibreSSL
- May not be as widely adopted or tested in diverse environments
- Potentially less suitable for general-purpose TLS implementations
Code Comparison
s2n-tls:
int s2n_negotiate(struct s2n_connection *conn, s2n_blocked_status *blocked)
{
while (conn->mode != S2N_MODE_APP_DATA) {
int r = s2n_handshake(conn, blocked);
if (r < 0) {
return r;
}
}
return 0;
}
LibreSSL:
int
SSL_do_handshake(SSL *s)
{
int ret = 1;
if (s->handshake_func == NULL) {
SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET);
return -1;
}
s->method->ssl_renegotiate_check(s);
if ((ret = s->handshake_func(s)) <= 0)
return ret;
return 1;
}
The code snippets show different approaches to handling TLS handshakes. s2n-tls uses a simpler loop structure, while LibreSSL employs a more complex function with additional checks and error handling.
A modern, portable, easy to use crypto library.
Pros of libsodium
- Focused on modern, high-security cryptographic primitives
- Easier to use API with fewer opportunities for misuse
- Cross-platform support with better portability
Cons of libsodium
- Smaller feature set compared to LibreSSL
- Less compatibility with legacy systems and protocols
- Not a drop-in replacement for OpenSSL in many cases
Code Comparison
LibreSSL (TLS connection):
SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
SSL *ssl = SSL_new(ctx);
SSL_set_fd(ssl, socket);
SSL_connect(ssl);
libsodium (Public-key encryption):
unsigned char pk[crypto_box_PUBLICKEYBYTES];
unsigned char sk[crypto_box_SECRETKEYBYTES];
crypto_box_keypair(pk, sk);
crypto_box_easy(ciphertext, message, message_len, nonce, pk, sk);
Summary
LibreSSL is a more comprehensive cryptographic library, offering a wider range of features and better compatibility with existing systems. libsodium, on the other hand, provides a more modern and user-friendly approach to cryptography, focusing on high-security primitives and ease of use. The choice between the two depends on specific project requirements, such as legacy support needs or the desire for a simpler API.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Official portable version of LibreSSL
LibreSSL is a fork of OpenSSL 1.0.1g developed by the OpenBSD project. Our goal is to modernize the codebase, improve security, and apply best practice development processes from OpenBSD.
Compatibility with OpenSSL
LibreSSL provides much of the OpenSSL 1.1 API. The OpenSSL 3 API is not currently supported. Incompatibilities between the projects exist and are unavoidable since both evolve with different goals and priorities. Important incompatibilities will be addressed if possible and as long as they are not too detrimental to LibreSSL's goals of simplicity, security and sanity. We do not add new features, ciphers and API without a solid reason and require that new code be clean and of high quality.
LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily earlier releases of LibreSSL. You will need to relink your programs to LibreSSL in order to use it, just as in moving between major versions of OpenSSL. LibreSSL's installed library version numbers are incremented to account for ABI and API changes.
Compatibility with other operating systems
While primarily developed on and taking advantage of APIs available on OpenBSD, the LibreSSL portable project attempts to provide working alternatives for other operating systems, and assists with improving OS-native implementations where possible.
At the time of this writing, LibreSSL is known to build and work on:
- Linux (kernel 3.17 or later recommended)
- FreeBSD (tested with 9.2 and later)
- NetBSD (7.0 or later recommended)
- HP-UX (11i)
- Solaris 11 and later
- Mac OS X (tested with 10.8 and later)
- AIX (5.3 and later)
- Emscripten (3.1.44 and later)
LibreSSL also supports the following Windows environments:
- Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64)
- Wine (32-bit and 64-bit)
- MinGW-w64, Cygwin, and Visual Studio
Official release tarballs are available at your friendly neighborhood OpenBSD mirror in directory LibreSSL, although we suggest that you use a mirror.
The LibreSSL portable build framework is also mirrored on GitHub.
Please report bugs either to the public libressl@openbsd.org mailing list, or to the GitHub issue tracker
Severe vulnerabilities or bugs requiring coordination with OpenSSL can be sent to the core team at libressl-security@openbsd.org.
Building LibreSSL
Building from a Git checkout
If you have checked out this source using Git, or have downloaded a source tarball from GitHub, follow these initial steps to prepare the source tree for building. Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions or cannot meet these prerequisites, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer.
- Ensure that you have a bash shell. This is also required on Windows.
- Ensure that you have the following packages installed: automake, autoconf, git, libtool, perl.
- Run
./autogen.shto prepare the source tree for building.
Build steps using configure
Once you have the source tree prepared, run these commands to build and install:
./configure # see ./configure --help for configuration options
make check # runs builtin unit tests
make install # set DESTDIR= to install to an alternate location
Alternatively, it is possible to run ./dist.sh to prepare a tarball.
Build steps using CMake
Once you have the source tree prepared, run these commands to build and install:
mkdir build
cd build
cmake ..
make
make test
For faster builds, you can use Ninja:
mkdir build-ninja
cd build-ninja
cmake -G"Ninja" ..
ninja
ninja test
Or another supported build system like Visual Studio:
mkdir build-vs2022
cd build-vs2022
cmake -G"Visual Studio 17 2022" ..
Additional CMake Options
| Option Name | Default | Description |
|---|---|---|
LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules. Can be specified from command line using -DLIBRESSL_SKIP_INSTALL=ON |
LIBRESSL_APPS | ON | allows skipping application builds. Apps are required to run tests |
LIBRESSL_TESTS | ON | allows skipping of tests. Tests are only available in static builds |
BUILD_SHARED_LIBS | OFF | CMake option for building shared libraries. |
ENABLE_ASM | ON | builds assembly optimized rules. |
ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms |
ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) |
OPENSSLDIR | Blank | Set the default openssl directory. Can be specified from command line using -DOPENSSLDIR=<dirname> |
Build information for specific systems
HP-UX (11i)
Set the UNIX_STD environment variable to 2003 before running configure
in order to build with the HP C/aC++ compiler. See the "standards(5)" man
page for more details.
export UNIX_STD=2003
./configure
make
MinGW-w64 - Windows
LibreSSL builds against relatively recent versions of MinGW-w64, not to be confused with the original mingw.org project. MinGW-w64 3.2 or later should work. See README.mingw.md for more information.
Emscripten
When configuring LibreSSL for use with Emscripten, make sure to prepend
emcmake to your cmake configuration command. Once configured, you can
proceed with your usual cmake commands. For example:
emcmake cmake . -Bbuild
cmake --build build --config Release
ctest --test-dir build -C Release --output-on-failure
Using LibreSSL
CMake
Make a new folder in your project root (where your main CMakeLists.txt file is
located) called CMake. Copy the FindLibreSSL.cmake file to that folder, and
add the following line to your main CMakeLists.txt:
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
After your add_executable or add_library line in your CMakeLists.txt file
add the following:
find_package(LibreSSL REQUIRED)
It will tell CMake to find LibreSSL and if found will let you use the following
3 interfaces in your CMakeLists.txt file:
- LibreSSL::Crypto
- LibreSSL::SSL
- LibreSSL::TLS
If you for example want to use the LibreSSL TLS library in your test program, include it like so (SSL and Crypto are required by TLS and included automatically too):
target_link_libraries(test LibreSSL::TLS)
Full example:
cmake_minimum_required(VERSION 3.10.0)
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")
project(test)
add_executable(test Main.cpp)
find_package(LibreSSL REQUIRED)
target_link_libraries(test LibreSSL::TLS)
Linux
Following the guide in the sections above to compile LibreSSL using make and
running sudo make install will install LibreSSL to the /usr/local/ folder,
and will be found automatically by find_package. If your system installs it to
another location, or you have placed them yourself in a different location, you
can set the CMake variable LIBRESSL_ROOT_DIR to the correct path, to help
CMake find the library.
Windows
Placing the library files in C:/Program Files/LibreSSL/lib and the include
files in C:/Program Files/LibreSSL/include should let CMake find them
automatically, but it is recommended that you use CMake-GUI to set the paths.
It is more convenient as you can have the files in any folder you choose.
Top Related Projects
TLS/SSL and crypto library
Mirror of BoringSSL
An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
An implementation of the TLS/SSL protocols
A modern, portable, easy to use crypto library.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot