Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Jul 2018 09:59:29 +1000
From:      Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
To:        "PRAKASH RAI (prakrai)" <prakrai@cisco.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: TLSv1.3 support in freeBSD 11.X
Message-ID:  <81dc7784-62d2-37e8-95f0-1f49215d4a58@heuristicsystems.com.au>
In-Reply-To: <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com>
References:  <2ECA83EC-B156-43DF-AFDD-407BDFF74DAA@contoso.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 26/07/2018 9:45 PM, PRAKASH RAI (prakrai) via freebsd-security wrote:
> Hi All,
>
> I was going through the https://wiki.freebsd.org/OpenSSL and found that openssl 1.1.1 support is planned for freeBSD 12.
> As TLSv1.3 is based on openssl 1.1.1, does it mean that freeBSD 11.X would not be having support for TLSv1.3?
>
> Basically I would like to understand if I can build openssl 1.1.1 (which is having support for TLSv1.3) with FreeBSD 11.2 without any issue and enable TLSv1.3 support?
>
> Regards,
> Prakash
>
Prakash,
You're very ambitious ;)  TLSv1.3 is very different from 1.2 and
others.  Additional ciphers are "nice", but the session controls are
quite different and will take a while for applications to settle into. 
Quite a few applications are not yet at openssl 1.1.0, so surprise
yourself and try something like:
for interests in security www; do find /usr/ports/$interests/ -name
Makefile|xargs grep openssl-devel|grep BROKEN; done

And you should also note that the ports are only built on lowest
supported FreeBSD (#1), and on the 11 stream, that seems to be FreeBSD
11.1Release; so we should really work in unison to migrate to openssl
1.1.1 :)  Drawn your own conclusions about what ports have been tested
on 11.2Release

FYI perhaps consider libressl which has some additional/useful ciphers,
might be worth a look if the ciphers are your driver. 

Ref:
#1 Poke around here:  http://beefy9.nyi.freebsd.org/data/latest-per-pkg/
Cheers.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81dc7784-62d2-37e8-95f0-1f49215d4a58>