LibreSSL was initially developed as an intended replacement for OpenSSL in OpenBSD 5.6, and was ported to other platforms once a stripped-down version of the library was stable.[15] As of April 2014[update], the project was seeking a "stable commitment" of external funding.[13] On 17 May 2014, Bob Beck presented "LibreSSL: The First 30 Days, and What The Future Holds" during the 2014 BSDCan conference, in which he described the progress made in the first month.[16] On 5 June 2014, several OpenSSL bugs became public. While several projects were notified in advance,[17] LibreSSL was not;Theo de Raadt accused the OpenSSL developers of intentionally withholding this information from OpenBSD and LibreSSL.[18]
On 20 June 2014,Google created another fork of OpenSSL calledBoringSSL, and promised to exchange fixes with LibreSSL.[19][20] Google has alreadyrelicensed some of its contributions under theISC license, as it was requested by the LibreSSL developers.[19][21] On 21 June 2014, Theo de Raadt welcomed BoringSSL and outlined the plans for LibreSSL-portable.[22] Starting on 8 July, code porting formacOS andSolaris began,[23] while the initial porting toLinux began on 20 June.[24]
As of 2021, OpenBSD uses LibreSSL as the primary TLS library.Alpine Linux supported LibreSSL as its primary TLS library for three years, until release 3.9.0 in January 2019.Gentoo supported LibreSSL until February 2021.[25]Python 3.10 dropped LibreSSL[26] after being supported since Python 3.4.3 (2015).[27]
Fixes for potentialdouble free scenarios have also been cited in theVCS commit logs (including explicit assignments ofnull pointer values).[42] There have been extrasanity checks also cited in thecommit logs related to ensuring length arguments, unsigned-to-signedvariable assignments,pointer values, and method returns.
In order to maintain good programming practice, a number of compiler options and flags designed for safety have been enabled by default to help in spotting potential issues so they can be fixed earlier (-Wall, -Werror, -Wextra, -Wuninitialized). There have also beencode readability updates which help future contributors in verifying program correctness (KNF, white-space, line-wrapping, etc.). Modification or removal of unneeded method wrappers and macros also help with code readability and auditing (Error andI/O abstraction library references).
Changes were made to ensure that LibreSSL will beyear 2038 compatible along with maintainingportability for other similar platforms. In addition,explicit_bzero andbn_clear calls were added to prevent the compiler from optimizing them out and prevent attackers from reading previously allocated memory.
There were changes to help ensure properseeding ofrandom number generator-based methods via replacements of insecure seeding practices (taking advantage of features offered by thekernel itself natively).[43][44] In terms of notable additions made, OpenBSD has added support for newer and more reputable algorithms (ChaCha stream cipher andPoly1305 message authentication code) along with a safer set ofelliptic curves (brainpool curves from RFC 5639, up to 512 bits in strength).
TheIBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines were removed due to irrelevance of hardware or dependency onnon-free libraries.
The OpenSSLPRNG was removed (and replaced withChaCha20-based implementation of arc4random).
Preprocessor macros that have been deemed unnecessary or insecure or had already been deprecated in OpenSSL for a long time (e.g. des_old.h).
One of the complaints of OpenSSL was the number of openbugs reported in the bug tracker that had gone unfixed for years. Older bugs are now being fixed in LibreSSL.[61]