LibreSSL vs. OpenSSL

[Iain Morgan <Iain.Morgan%nasa.gov@localhost>]

Hi,

The current round of OpenSSL vulnerabilities has prompted me to ask
whether there are any plans to switch to using LibreSSL in pkgsrc.

T know that there would be some issues to overcome: the (somewhat dated)
version in wip/libressl indicates some portability issues, but version
2.1.3 is supposed to have some NetBSD support. Yes, the lack of assembly
language implementations of some of the cryptographic algorithms could
be an issue for performance-intensive applications; particularly the
lack of AES-NI support.

There's also the issue that some packages (presumably) can't build
against LibreSSL, due to its trimmed-down API. And, due to name
collisions, installing both OpenSSL and LibreSSL would be problematic.

Finally, there's all the packages that would need to be touched to
either switch them to use LibreSSL, or to provide the capability to
select whether to use OpenSSL or LibreSSL.

What would be nice is to have a mk.conf variable to select whether to
use OpenSSL or LibreSSL, and support in the various packages to indicate
which implementations they work with.

Is anyone working on something like this already?

Thanks,

-- 
Iain Morgan

PS: I see that between pkgsrc and pkgsrc-wip, there are 644 packages
that reference security/openssl/buildlinks. So, I realize that the
transition would be non-trivial.