Resources for Security Engineers to understand & harden the SSL crypto stack. Written 2016-02. Updated 2017-04
Cryptographic Libraries such as OpenSSL provide the utilities which provide encryption.
Modules provide integration between applications which dont make calls directly to OpenSSL, such as mod_ssl which provides the intergration between Apache and OpenSSL.
OpenSSL is the defacto standard for providing cryptographic functions in Linux. However in the last few years it has had bad track record, I wrote an blog rant a few years back after heartbleed and since then the blood letting has continued. The problems will of course continue to be discovered in not just software but the concepts and implementation of all aspects. Because its impossible to analyse every new concept, rather time is only allocated to auditing whats actually being actively used
There are many many more vulnerbilities to be discovered in the implementation of everything from client to server, the design of ciphers & protocols will be untrusted as new attacks and computing power changes, therefore its important in my view to limit risk by multiple methods.
I have migrated to LibreSSL however there are problems in ALL software.
LibreSSL is very easy to install on FreeBSD, if you use OpenBSD it is the default library. Using LibreSSL gives you the ability to run Chacha20-poly1305, and has done since well before OpenSSL. While it is a fork of OpenSSL, a lot of defunct code has been removed. Its fully compatible with NGINX and I will test OpenVPN shortly however a cipher list displays chacha.
portsnap fetch && portsnap extract(use this if you havnt used ports before)
portsnap fetch && portsnap update(use this update the new changes)
make install clean(go ahead and select defaults)
which opensslreveals that "/usr/bin/openssl" is the OpenSSL system default
/usr/local/bin/openssl versionis LibreSSL. Installs will use this automatically.
make install clean(select your desired options - include SSL/SPDY or HTTP2)
nginx -Vwill display:
and youre all done!