From owner-freebsd-security@FreeBSD.ORG Tue Aug 24 20:15:03 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B9F91065679 for ; Tue, 24 Aug 2010 20:15:03 +0000 (UTC) (envelope-from freebsd@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id E63A18FC18 for ; Tue, 24 Aug 2010 20:15:02 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id F13CB73F185E for ; Tue, 24 Aug 2010 12:57:31 -0700 (PDT) Message-ID: <4C74242B.9090207@johnea.net> Date: Tue, 24 Aug 2010 12:57:07 -0700 From: freebsd@johnea.net User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100617 Shredder/3.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: implementing SNI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2010 20:15:03 -0000 Hello out there, Implementing the SNI extension, to permit encrypted virtual web domain service, seems to be spreading. I hope I'm not too far OT in asking this list for advice on making this transition on FreeBSD. The first server to be migrated is currently running: 7.1-RELEASE-p13 with the base openssl 0.9.8.e and apache 2.2.13 Several options seem to be available: 1) upgrade the openssl in the existing 7.1 release 2) migrate to gnuTLS in the existing 7.1 release 3) upgrade freebsd to 8.1 with openssl 0.9.8n I'm pre-inclined towards upgrading the OS to 8.1. The primary concerns I've considered revolve around moving the installed ports through this upgrade with minimal downtime. Could anyone please offer advice on the openssl upgrade issues involved in such a migration? In addition to apache, this server is a pretty loaded toaster, also hosting DNS with bind9, virtual mail domains with postfix, courier-imap/authlib, and mysql, and shell accounts via openssh. A simpler question that I've been unable to resolve: Does the openssl of 8.1-RELEASE enable the TLS extensions, including SNI, by default? If I have to rebuild from source to enable this feature anyway, it takes some of the incentive out of migrating the OS now. Thanks for any insight or experience you're able to share! johnea