LibreBSD 10.3-RC2 adds libtls and netcat 11 mar 2016



Today's update to LibreBSD is an update tested on FreeBSD 10.3-RC2 and adds libtls and the TLS capable netcat implementation from the LibreSSL distribution.

LibreBSD 10.3-RC2 adds libtls and netcat

The FreeBSD source tree was tagged 10.3-RC2 with only minor changes for zfs send.

I had intended to add libtls and the TLS (no SSL in LibreSSL remember!) enabled netcat to 10.3 as well. This update marks the first version that includes these tools. Mainly this is a backport of the version found in HardenedBSD which I hope to work on again this weekend.

There's still some snags to this version which I have yet to iron out. The latest version can be found in the LibreBSD github repo FreeBSD-10.3 branch.

Co-existence of netcat

FreeBSD is already shipped with netcat from OpenBSD, but the version from OpenBSD 5.8 which doesn't contain the TLS capability yet. The version in FreeBSD is not exactly the same as the one in OpenBSD, it adds IPSec capability to netcat.

To work around this, I've renamed the TLS-enabled netcat binary to netcat. This 'release' has both versions in parallel. in the mean time I'm working on merging the FreeBSD changes into the OpenBSD version.

Updates to GitHub

Every repo on GitHub should have a proper README.md which is displayed as the landing page of the repository.

Luckily, I use Pelican as my static blog generator which I feed with MarkDown files, which -not so coincidentally- is also used for the README.md, so I copied my earlier blogpost in. Voilá, it now has a proper README.md!

Proper netcat merging

The proper way to do this is detect MK_LIBRESSL and build the TLS-enabled version in stead of the regular version.

To add the IPSec capability, FreeBSD added two options to netcat

-E Shortcut for "-e 'in ipsec esp/transport//require' -e 'out ipsec
   esp/transport//require'", which enables IPsec ESP transport mode
   in both directions.

-e If IPsec support is available, then one can specify the IPsec
   policies to be used using the syntax described in
   ipsec_set_policy(3). This flag can be specified up to two times,
   as typically one policy for each direction is needed.

and what do you know, the -e flag is now also used in OpenBSD's netcat

-e name
   Specify the name that must be present in the peer certificate when
   using TLS. Illegal if not using TLS.

To merge these, upstream has precedence and FreeBSD's addition must be renamed. I decided to use a long option --ipsec-policy to replace -e. This warrants an UPDATING entry if it is ever added to FreeBSD.

All in all this was more work then I had time for today, so expect updates later!