Since the disclosure of HeartBleed bug in OpenSSL, some arguments emerge around the safety of OpenSSL, the largest open source SSL/TLS library used by large number of servers, applications. Some people are even starting to create their own version of SSL library. This includes OpenBSD, a famous Unix like open source operating system.
Just a few days after the HeartBleed bug, OpenBSD forked a new branch of OpenSSL and started to clean up the forked branch and plans to merge it to its own code base. So far these changes done on the forked OpenSSL library include:
- Splitting up libcrypto and libssl build directories
- Fixing a use-after-free bug
- Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
- Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
- Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
- Ripping out some windows-specific cruft
- Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
- KNF of most C files
- Removal of weak entropy additions
- Removal of all heartbeat functionality which resulted in Heartbleed
You can also find the change history for their codes on their site:If you take a look at the change log, you will find many of them are related to OpenSSL HeartBleed bug.
Since the bug, OpenSSD now assumes the whole libray is tainted and they are going to revew all the codes of OpenSSL and created a new SSL library based on OpenSSL. This may be a good movement to build a safer and cleaner SSL library and if someday there is a new severe bug in OpenSSL again, people can switch to OpenBSD version of SSL library in just a few hours.
This is not an easy task, but it worth the effort. Some people even gives a new name for this project : OpenOpenSSL. Do you like it?