From owner-freebsd-security@freebsd.org Thu Jan 26 21:48:11 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7A2BCC2BBC for ; Thu, 26 Jan 2017 21:48:11 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57DBF3EF for ; Thu, 26 Jan 2017 21:48:11 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x233.google.com with SMTP id c85so91216313wmi.1 for ; Thu, 26 Jan 2017 13:48:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C/OI6GWiCKnF+Abo1diGGe5VkLvnSGNABSKlsugr8Io=; b=Oy3HIc7IRklLpROEyObsGPwPWXsWYj+eLgiMgEPKZCdNfWGGoOuu3sd7TtJmOuelZH IcMJuM9g9UlEZs1GbAtfSW6liTRFMix83C1+JhC9YCdTwGIJeLPXWxvbJJpcDBPzu9FR gNadBSzyhH5/8Z+zFplle9fg6AsZtDPy2tZQR+hrybE09ylndnpOwatcpk0D19yYkYsf TCcbwfp7+vguUQIcGKOd9whgEyr2CKYOJLbYUlxwdb/gU6eitnXICCx1/PVjgtDoBGPF i2Whcs7Nb1udCcVJ9dqUYWGmhZjttqtFp70eNv2/Gkw7GAYKZn0HfMOO3jZhVCZDy6F6 kdNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C/OI6GWiCKnF+Abo1diGGe5VkLvnSGNABSKlsugr8Io=; b=HM9tRuUrsxzsR6oNoPBGAcGy/zkeJ8lHPxVYo7BSG/FeU+D7BnuEpM8fI+wMgFKLrL DnhVgtYJzqclZYHT4VdpaIFzSZIn/igiK0/vwrM3ZvpPl/eJMXu54Zl6jR+pL5p2Yrt4 LVrYJaMTla4Mh0dB51K1XxGNV/ouovxSdzhd+2X2iNIqdREzY8ndJzhND3h8yudBssul dcKvhOn5rRNnlB1z8bctcwRdCHjmdW49Mc5eX9S7aMMS2HRWBIAlP8aYzOTDsmq6oORc T/+JDiCjKw1exTBLzTytzRTyXlzviBSVPKIcnGQ1EAO+EXGotoV5eZhtoB2SrxzwHyey QySw== X-Gm-Message-State: AIkVDXLEYI6e94zPRqGDd20h45BpZsXzNjt+m+lWawnsbt/kOwGSZw9kdZ2tnKTDysyYv0i3IiAx/XwHwvs2Yncs X-Received: by 10.28.174.208 with SMTP id x199mr442192wme.107.1485467289504; Thu, 26 Jan 2017 13:48:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.51.42 with HTTP; Thu, 26 Jan 2017 13:48:08 -0800 (PST) In-Reply-To: <20170113041545.GS8460@kduck.kaduk.org> References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> <20170113041545.GS8460@kduck.kaduk.org> From: Oliver Pinter Date: Thu, 26 Jan 2017 22:48:08 +0100 Message-ID: Subject: Re: Plan for OpenSSL in stable/10? To: Benjamin Kaduk , Xin LI Cc: Dimitry Andric , freebsd-security@freebsd.org, Eric van Gyzen Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2017 21:48:11 -0000 On 1/13/17, Benjamin Kaduk wrote: > On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: >> On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: >> > >> > Has anyone had time to discuss and form a plan for OpenSSL in >> > stable/10, >> > now that 1.0.1 is end-of-life? I don't recall seeing any public >> > discussion or announcement; forgive me if I missed it. >> >> Would updating to 1.0.2 change the API and/or ABI? > > IIRC upstream claims that it is ABI and API compatible, but they were less > good about enforcing that rigorously back then than they are now, so maybe > some things slipped through the cracks. > Is there any news regards to these questions? > -Ben > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Thu Jan 26 22:10:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B942CC348C for ; Thu, 26 Jan 2017 22:10:59 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1F6079C7; Thu, 26 Jan 2017 22:10:59 +0000 (UTC) (envelope-from delphij@gmail.com) Received: by mail-wm0-x22c.google.com with SMTP id c206so108292117wme.0; Thu, 26 Jan 2017 14:10:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fOnRawRia3QgiIFtTHyUvTSa1IMdpb4cuhStMVQL8Sc=; b=jB/uburxD2IJB2suQIbmxTdtbF/k6TdaO8l6ONT1t5vanBqMwUdHQ/kYxYgjwQvdeH jsqCYExk62Zl8FuanWmGqMJaeh6rcCg4zU75VxoqgJZkp8028aL9Sv7tjXAw5ORItLbj PmPNJORuMffGlihzS3tDyOujW9kc5cLDfWmEpqLBayaKw5Z/sscUp+5AxxpaI0HQnfy1 Fea/MLfOfGbH6/l3dUSbulzPXXvd6/hPMyMzSfLPoGIL2EuVHxYtU3CBIZlHM03gvONM IHnZFERvklE6K9/uVAOrKF4UkCkkpFD0zDNqhm+CRTe2/7zv9tMEz5yiWKPxE7eVWb31 k0yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fOnRawRia3QgiIFtTHyUvTSa1IMdpb4cuhStMVQL8Sc=; b=qCd+LuRbDzEcc4H5lhEFZB3/BXkB43V4yTr1h6hpTRlqf9FVzNwT08nlutQukz9HyV 46oH+4wTT+L9hWTAsNRG+PRsOK+EczaElV/4Jjqp+Ht28x0VvuTMan2cFIN39DxBCfBE zKvgpXPPEncNi9Uvq2gqG2mrXRmkHrDulFMRkNjLXnzXmJwVaoGJbdGHvO4nnot+llPm tPWa64VXxxljCCQHx+yfEHeGPCMsBBX4zabzdN+QXG2rvFAqqZYJ5RTfvCfaG0zALM8h D/WxWLwePQ3I6p8XS6Is7vhZTQknsZZ8Zajs7mzgMtojYCJFQgzj8115MnwYTn96kQEB ENmw== X-Gm-Message-State: AIkVDXILaexyF8HxGLcIqtxNtz82RWN9ruVW/ypCr7yiiWiOAMxI/qssgTJMipF6M5+Zts/HlRIh5PBsUqqr8A== X-Received: by 10.28.100.70 with SMTP id y67mr438995wmb.45.1485468656440; Thu, 26 Jan 2017 14:10:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.145.133 with HTTP; Thu, 26 Jan 2017 14:10:55 -0800 (PST) In-Reply-To: References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> <20170113041545.GS8460@kduck.kaduk.org> From: Xin LI Date: Thu, 26 Jan 2017 14:10:55 -0800 Message-ID: Subject: Re: Plan for OpenSSL in stable/10? To: Oliver Pinter Cc: Benjamin Kaduk , Xin LI , Dimitry Andric , "freebsd-security@freebsd.org" , Eric van Gyzen Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2017 22:10:59 -0000 They are not compatible: https://abi-laboratory.pro/tracker/timeline/openssl/ (3 missing symbols needs to be fixed, and we need to verify if the result is still compatible; the usage of these missing symbols should be quite rare, though). On Thu, Jan 26, 2017 at 1:48 PM, Oliver Pinter < oliver.pinter@hardenedbsd.org> wrote: > On 1/13/17, Benjamin Kaduk wrote: > > On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: > >> On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > >> > > >> > Has anyone had time to discuss and form a plan for OpenSSL in > >> > stable/10, > >> > now that 1.0.1 is end-of-life? I don't recall seeing any public > >> > discussion or announcement; forgive me if I missed it. > >> > >> Would updating to 1.0.2 change the API and/or ABI? > > > > IIRC upstream claims that it is ABI and API compatible, but they were > less > > good about enforcing that rigorously back then than they are now, so > maybe > > some things slipped through the cracks. > > > > Is there any news regards to these questions? > > > -Ben > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@ > freebsd.org" > > > From owner-freebsd-security@freebsd.org Fri Jan 27 17:48:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C9B0CBF8DE for ; Fri, 27 Jan 2017 17:48:16 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by mx1.freebsd.org (Postfix) with ESMTP id 0EFBB9B3 for ; Fri, 27 Jan 2017 17:48:15 +0000 (UTC) (envelope-from heas@shrubbery.net) Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 0BACB442F7; Fri, 27 Jan 2017 17:30:17 +0000 (UTC) Date: Fri, 27 Jan 2017 17:30:17 +0000 From: heasley To: freebsd-security@freebsd.org Subject: fbsd11 & sshv1 Message-ID: <20170127173016.GF12175@shrubbery.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.7.2 (2016-11-26) X-Mailman-Approved-At: Fri, 27 Jan 2017 18:05:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2017 17:48:16 -0000 I do appreciate fbsd's and openssh's altruism with the removal of v1 support. But, the fact is that there is equipment in the wild that does not support v2 and never will and otherwise works perfectly fine, yet sshv1 is still a better choice than telnet. So, what is the BCP to support a v1 client for outbound connections on fbsd 11? Hopefully one that I do not need to maintain by building a special ssh from ports. Is there a pkg that I'm missing? tia From owner-freebsd-security@freebsd.org Fri Jan 27 21:51:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B9B3CC4E82 for ; Fri, 27 Jan 2017 21:51:51 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4E51AB; Fri, 27 Jan 2017 21:51:50 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190c-687ff70000002353-65-588bbfc07b77 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 67.F0.09043.0CFBB885; Fri, 27 Jan 2017 16:46:40 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v0RLkdgg020848; Fri, 27 Jan 2017 16:46:39 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0RLkZUh003995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 27 Jan 2017 16:46:37 -0500 Date: Fri, 27 Jan 2017 15:46:35 -0600 From: Benjamin Kaduk To: Xin LI Cc: Oliver Pinter , Xin LI , Dimitry Andric , "freebsd-security@freebsd.org" , Eric van Gyzen Subject: Re: Plan for OpenSSL in stable/10? Message-ID: <20170127214635.GT8460@kduck.kaduk.org> References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> <20170113041545.GS8460@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IR4hTV1j2wvzvC4MV+bYvXN/6xW1x/+JjJ YknXPkaLnk1P2CxeT77CaHHj6F5GBzaPGZ/ms3jsnHWX3WPrm3b2AOYoLpuU1JzMstQifbsE roz5pwoK9vFX7Ju2maWBcTVPFyMnh4SAicS55X3sXYxcHEICbUwSW79tZINwNjJK7P26Esq5 yiSx4O4mpi5GDg4WAVWJVTvMQLrZBFQkGrovM4PYIgJyEtcn7wObxCzwiVHia+MGNpCEsIC2 ROPkM+wgvbwCxhKHm7khZq5mkrjy/SMrSA2vgKDEyZlPWEBsZgEtiRv/XoLtYhaQllj+jwMk zCkQKPF+1WSwElEBZYmGGQ+YJzAKzELSPQtJ9yyE7gWMzKsYZVNyq3RzEzNzilOTdYuTE/Py Uot0DfVyM0v0UlNKNzGCw1qSZwfjmTdehxgFOBiVeHg1crojhFgTy4orcw8xSnIwKYnyclsA hfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nw5gOjSYg3JbGyKrUoHyYlzcGiJM4rodEYISSQnliS mp2aWpBaBJOV4eBQkuC1AGkULEpNT61Iy8wpQUgzcXCCDOcBGm4NNry4IDG3ODMdIn+KUVFK nHfHPqCEAEgiozQPrheUdiSy99e8YhQHekWYdyFIFQ8wZcF1vwIazAQ0WPxHF8jgkkSElFQD 4zIGE6fwa2+iHAVmTT55xp97afB1oxIT8cJI/+O+YjHbFZZKWfk/yWJR1V92yKnjdWXzTtMk 80+5nv05Z+/k3L1xUf3QTvbD7RPOJ9ntfdPFFauddO6M2YtHW2KDpa78lF6UobU58ODRTX17 XR9MmcypdMm0cbVEy4T5C8qid64sWTahzk2KR4mlOCPRUIu5qDgRAKra5gEWAwAA X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2017 21:51:51 -0000 Er, which three symbols? I'm not sure that I'm reading the tool properly; e.g., the 1.0.2 line has "4 removed", which seems to be comparing to 1.0.1u, which is not a fair comparison -- some symbols were added during the 1.0.1 series, e.g., for CVE fixes, that were also added to the 1.0.2 series, but were not present in 1.0.2. (BTW I posted to upstream about this at https://mta.openssl.org/pipermail/openssl-dev/2017-January/009042.html) -Ben On Thu, Jan 26, 2017 at 02:10:55PM -0800, Xin LI wrote: > They are not compatible: > https://abi-laboratory.pro/tracker/timeline/openssl/ > > (3 missing symbols needs to be fixed, and we need to verify if the result > is still compatible; the usage of these missing symbols should be quite > rare, though). > > On Thu, Jan 26, 2017 at 1:48 PM, Oliver Pinter < > oliver.pinter@hardenedbsd.org> wrote: > > > On 1/13/17, Benjamin Kaduk wrote: > > > On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: > > >> On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > > >> > > > >> > Has anyone had time to discuss and form a plan for OpenSSL in > > >> > stable/10, > > >> > now that 1.0.1 is end-of-life? I don't recall seeing any public > > >> > discussion or announcement; forgive me if I missed it. > > >> > > >> Would updating to 1.0.2 change the API and/or ABI? > > > > > > IIRC upstream claims that it is ABI and API compatible, but they were > > less > > > good about enforcing that rigorously back then than they are now, so > > maybe > > > some things slipped through the cracks. > > > > > > > Is there any news regards to these questions? > > > > > -Ben > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@ > > freebsd.org" > > > > >