back to article Google devs: Tearing Chrome away from OpenSSL not that easy

Google is trying to migrate its Chrome browser away from the buggy OpenSSL cryptography library toward BoringSSL, its homegrown fork, but swapping out the crypto code is proving more difficult than it sounds. Google engineer David Benjamin posted a revision to the Chromium source code version control system this week with a …

  1. Brian Scott

    "In response to the Heartbleed debacle, a group of NetBSD developers created an OpenSSL fork called LibreSSL."

    Actually, that's OpenBSD not NetBSD. OpenBSD forked from NetBSD a long time ago. They have a bit of a history doing this.

    1. NP-Hardass

      Use the send corrections button above

    2. diodesign (Written by Reg staff) Silver badge

      "Actually, that's OpenBSD not NetBSD"

      So why didn't you email corrections@theregister.co.uk? So you'll find all your comments moderated from now on. Well done.

      It was fixed as soon as we spotted the mistake - in fact, it was corrected while we were in the bar after work.

      C.

      1. Flawless101
        Pint

        Drinking and working without fear of getting sacked... living the dream.

        1. wowfood

          Who said they were working, just said 'fixed while we were in the bar after work'

          They probably subcontract an office gremlin. No office should be without one.

      2. Pete Spicer

        Because it's too difficult to have a webform that does this as well so I don't have to copy/paste the email address?

      3. Anonymous Coward
        Anonymous Coward

        Re: bar

        it was corrected while we were in the bar after work.

        Huh? Overtime? Isn't that where journalists spend a lot of time /during/ their work hours? :)

        At least you have a couple decent ones pretty close to your office - no doubt that was a major consideration for the location choice :p

        1. diodesign (Written by Reg staff) Silver badge

          Re: bar

          "At least you have a couple decent ones pretty close to your office"

          Being based in San Francisco, we were at a rowdy place in the Mission, 16th and Valencia actually. The thing about having smartwatches and smartphones is that work emails (particularly corrections@ which we take seriously) tend to catch our eye even after a few jars of Anchor Steam.

          Anyway, in the sober light of day I've taken the manual mod off Brian Scott poster's account. But please do keep pinging the corrections address - we'll pick 'em up night and day :)

          C.

  2. Anonymous Coward
    Anonymous Coward

    Could this happen with LibreSSL too?

    As observed before, refactoring a complex beast like OpenSSL isn't an easy job, partly because you have to get into the mindset of the original developers to find out why they did things a certain way (or they may have been on weird substances, but I digress). I suspect the same problems will show up for the LibreSSL effort.

    I wonder if all that effort would not have been better spent on refactoring OpenSSL? That keeps the count of code to manage to one instead of, what, 3 now?

    1. foxyshadis

      Re: Could this happen with LibreSSL too?

      One thing this article didn't approach is that Chrome is based on NSS, not OpenSSL, and the totally different APIs are what make the drop-in so painful. If it was just OpenSSL to BoringSSL or LibreSSL, it would be much smoother. (Well, not so much in LibreSSL's case, since all of the neat kludgy platform-specific hacks were removed, making it much less portable at this time.)

      1. Dan 55 Silver badge

        Re: Could this happen with LibreSSL too?

        I believe Chrome on Linux uses NSS, Chrome on Windows or Mac uses NSS and the OS-supplied crypto library and Chrome on Android uses OpenSSL. The idea was to change this all over to BoringSSL but I'm not sure how much of a good idea this is at the moment after Heartbleed.

      2. AlanB

        Re: Could this happen with LibreSSL too?

        Chromium uses OpenSSL on Android, and Chrome might be dropping NSS for OpenSSL on all platforms:

        https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s

    2. Captain TickTock
      Boffin

      Re: Could this happen with LibreSSL too?

      This is a highly entertaining read which should answer that.

      In a nutshell, they've created the LibreSSL fork because OpenSSL have been sitting on bugs (and creating horrible hacks) for years, because it's just too horrible to work on.

      1. h4rm0ny
        Thumb Up

        Re: Could this happen with LibreSSL too?

        >>"This is a highly entertaining read which should answer that"

        Wow. That was an extremely informative read. Funny too. I had no idea how bad things were with OpenSSL. But it also convinces me that LibreSSL is the one to back as it sounds like it is in very excellent hands!

        1. asdf

          Re: Could this happen with LibreSSL too?

          Yeah Theo may rub some people the wrong way (hey much like Linus) but the guy and his team know as much about bulletproofing C code as just about anyone out there.

    3. asdf

      Re: Could this happen with LibreSSL too?

      >I suspect the same problems will show up for the LibreSSL effort.

      Yeah they already ran into some security issues they introduced that OpenSSL didn't have when they released their second portable release. They are doing a great job but refactoring a hairball like OpenSSL is going to have a lot of pain along the way. The worst part is even if they do the best job the OpenSSL API is absolute garbage. Major industry fail (open and closed source) that so much software was built on top of and using this total POS code.

    4. asdf

      Re: Could this happen with LibreSSL too?

      >I wonder if all that effort would not have been better spent on refactoring OpenSSL? That keeps the count of code to manage to one instead of, what, 3 now?

      Over the years the Open Source community has learned that what seems like a waste and reduplication of effort often turns out being good in the end. Many were against developer time being used on both Gnome and KDE but thank goodness it was. The 3 may end up serving different audiences which is all good (for example LibreSSL in most open source distros, OpenSSL for VMS and all the weird ass corner case platforms and some commercial products and boringSSL for Google's ecosystem). What's good is unlike with systemd then no one person or entity then is telling everyone what to use or how to do/fix things. Choices are always good.

  3. Anonymous Coward
    Big Brother

    BoringSSL build issues ..

    Tue Jul 22 18:20:37 2014 UTC

    Switch to BoringSSL.

    'This is a reland of r284079 which was reverted in r284248 for components build issues. That, in turn, was a reland of r283813 which was reverted in r283845 because it broke WebRTC tests on Android. That, in turn, was a reland of r283542 which was reverted in r283591 because it broke the WebView build.

    This is a much larger change than its diff suggests. If it breaks something, please revert first and ask questions later.'

  4. This post has been deleted by its author

    1. Dan 55 Silver badge

      Firefox uses NSS, not GnuTLS, thankfully. GnuTLS is worse than OpenSSL.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    PolarSSL

    There's a C library called PolarSSL which is a mature project and it works very well for all your cryptographic needs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like