Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
move back to openssl #1312
A 20-year root CA will be causing problems in less than 10 months on 32-bit Linux with LibreSSL: libressl-portable/portable#207
We're already seeing these kinds of problems - any certificate with a post-2038 expiry date cannot be verified by LibreSSL on 32-bit Linux. LibreSSL have no plans to fix this (having purposefully removed the OpenSSL workaround for 32-bit platforms), so to verify these post-2038 certs on 32-bit Linux will require an ABI update (in the works but no estimate other than "before 2038"). Alternatively, we switch back to OpenSSL.
Bear in mind that 20 year expiry dates on root CAs is not that uncommon, and 2038 is less than 21 years from now... so unless the Linux 32-bit ABI is updated between now and the end of the year with 64-bit time_t, using LibreSSL to verify certificates will start to become a much bigger issue in less than 10 months time.
We also have another issue with LibreSSL relating to a DAZN addon that fails to verify an upstream server hosting widevine keys - accessing this same server is not a problem with OpenSSL.
I also think some of the other Qt based projects have requested the option of building with OpenSSL as Qt does not support LibreSSL.
So in short, bye bye LibreSSL.