How "official" is libressl support in High Sierra?
I am trying to port an OpenSSL-based C program from Linux to macOS, and I would like to use a library for TLS which is officially supported by the OS, because then the OS keeps that library up-to-date and secure without any extra work for me or the user of my application.
I though LibreSSL was officially supported in macOS and I have already ported my program have a LibreSSL backend, but I'm unsure of the state of LibreSSL within macOS. Is there any official documentation that addresses whether developers should treat the LibreSSL library as depricated or not?
PS: I've searched on Apple's developer site, but the official Apple documentation about encrypting network communication makes ABSOLUTELY NO mention of LibreSSL (which is not the same as OpenSSL).
Solution 1:
To answer the question asked:
How “official” is libreSSL support in High Sierra?
There is no official support. Apple makes available all Open Source code that it uses in macOS/OS X. From the latest version of High Sierra (10.13.3) all the way back to Lion 10.7.0, there is no mention of libreSSL.
This is not to say that it will not work if you choose to install the libraries. It's that they don't officially use the code in macOS. If you do get it working and something breaks when you upgrade macOS, it will be up you to fix it.
Apple has deprecated* OpenSSL and instead is utilizing Common Crypto, something Apple develops.
*Deprecated as in no longer developed but not removed. OpenSSL is still included for backward compatibility, but developers are notified that there is no further development and should begin to move to the newer technology.
Solution 2:
MacOS provided openssl-0.9.8 (when the world was using 1.0.2, and contemplating 1.1 and 1.1.1) until High Sierra release. Now in MacOS 10.13.5 it's libressl-2.2.7, while the current libressl is 2.7.4.
It looks like MacOS-provided LibreSSL does not come with any engines, and it is unclear whether it's possible to even add an engine to it. That means - no openssl using keys on hardware tokens accessible via PKCS#11, no hardware RNG accessible via PKCS#11 or RDRAND, etc. UPDATE: It also doesn't seem to have the include files required to compile your applications. So it seems that you cannot build your software against MacOS LibreSSL even if you wanted to (well, you might be able to by downloading LibreSSL-2.2.7 yourself, etc. - but I'm very sure it isn't worth the hassle).
Since I don't want to write code that runs only on Mac, I can't afford to get stuck with Apple Secure Transport or such.
Therefore my personal recommendation would be to install and work with a "real" openssl, installing it via Macports (as I did for the "production" stuff on my systems) or Brew. In that case, the package maintainers would track the updates and security fixes for you, but you maintain compatibility with your Linux code with minimal efforts.
Solution 3:
The only officially supported TLS library on macOS is Apple Secure Transport:
Secure Transport
Secure network communication using standardized transport layer security mechanisms.
The Security.SecureTransport API gives you access to Apple's implementation of Secure Sockets Layer version 3.0 (SSLv3), Transport Layer Security (TLS) versions 1.0 through 1.2, and Datagram Transport Layer Security (DTLS) version 1.0.
This means that LibreSSL is NOT supported by Apple for use as a TLS library in your application.
This means that as a responsible developer, you should either:
a) Use Apple Secure Transport
b) Statically link with a library, such as LibreSSL, you support yourself
or
c) Dynamically link with a a library, such as LibreSSL, that you clearly indicate to the user that he needs to support himself through for example HomeBrew