From owner-freebsd-security@freebsd.org Sun Jul 10 13:30:17 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DC78B854AF; Sun, 10 Jul 2016 13:30:17 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 63D991708; Sun, 10 Jul 2016 13:30:17 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMEoN-000KFS-8Z; Sun, 10 Jul 2016 16:30:19 +0300 Date: Sun, 10 Jul 2016 16:30:19 +0300 From: Slawa Olhovchenkov To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: GOST in OPENSSL_BASE Message-ID: <20160710133019.GD20831@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 13:30:17 -0000 I am surprised lack of support GOST in openssl-base. Can be this enabled before 11.0 released? Subject: svn commit: r412619 - in head/dns: bind9-devel bind910 bind99 Author: mat Date: Wed Apr 6 13:53:09 2016 New Revision: 412619 URL: https://svnweb.freebsd.org/changeset/ports/412619 Log: Stop bringing in OpenSSL from ports, it builds fine with the base one on 9, and WITH_OPENSSL_PORT does not belong in a port's Makefile anyway. Not bumping PORTREVISION because: - if you are building with poudriere, it will detect that a dependency has changed and rebuild it. - if you are building from ports, you will have OpenSSL from ports installed, and it will choose to use it. Sponsored by: Absolight +.include + +.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && defined(WITH_OPENSSL_BASE) +BROKEN= OpenSSL from the base system does not support GOST, add \ + WITH_OPENSSL_PORT=yes to your /etc/make.conf and rebuild everything \ + that needs SSL. +.endif + From owner-freebsd-security@freebsd.org Sun Jul 10 14:10:14 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF4F7B83628 for ; Sun, 10 Jul 2016 14:10:14 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4155E1D0A for ; Sun, 10 Jul 2016 14:10:14 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f51.google.com with SMTP id h129so54497851lfh.1 for ; Sun, 10 Jul 2016 07:10:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=PsybsWxDNobDi/CeG/VyfbgVcBLaC79vCE+44b4W4JA=; b=UaMuPzgEZvmoWrioIMXUNicMTgOE2ZLR9JXGGFP51ERYJgwCEJzsEXJLj9Oocs3G6c Pa84E7BleFqHq9tkJYoo7KXpsYd1xKdUzdpa3hKSKzYBzSflgRkfe8a/kRhM/L/ssvyo VktdF20NYGQNWFAbpOVkLHx9DgqBeiuzRz/uvSnmT/kLqBsCOOC/ynPhOj9FruNg2XlA RoZbR2r/C8I4ZZe6dO4dM+cgmZniTnJiYPlaUNgsPtPUrDdssFZyKhocPDZRvUQjj/g/ i4ifDnDuQoxIJmg2xM2/+zYJIIxFoPLzm1XD1oBqSFPkplAOL57JO/s2cbhouVLYOhWo rBCA== X-Gm-Message-State: ALyK8tKFA3gq0Yr3ovUWWdFzeXRAREruQOgjWEL61FauFJ2mI1koLTLt5Se/zKsAnOo3ug== X-Received: by 10.25.144.148 with SMTP id s142mr4333354lfd.191.1468159806270; Sun, 10 Jul 2016 07:10:06 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id e41sm2686489lji.42.2016.07.10.07.10.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 07:10:05 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , freebsd-security@freebsd.org, freebsd-current@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> From: Andrey Chernov Message-ID: Date: Sun, 10 Jul 2016 17:10:04 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160710133019.GD20831@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 14:10:14 -0000 On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > I am surprised lack of support GOST in openssl-base. > Can be this enabled before 11.0 released? AFAIK openssl maintainers says something like they can't support this code and it will become rotten shortly with new changes, so they drop it. From owner-freebsd-security@freebsd.org Sun Jul 10 15:01:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C417B84807; Sun, 10 Jul 2016 15:01:35 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 616621EED; Sun, 10 Jul 2016 15:01:35 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMGEp-000ML9-SF; Sun, 10 Jul 2016 18:01:43 +0300 Date: Sun, 10 Jul 2016 18:01:43 +0300 From: Slawa Olhovchenkov To: Andrey Chernov Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160710150143.GK46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:01:35 -0000 On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > > I am surprised lack of support GOST in openssl-base. > > Can be this enabled before 11.0 released? > > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop it. > Upstream or FreeBSD maintainers? From owner-freebsd-security@freebsd.org Sun Jul 10 15:12:09 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17EFBB852ED for ; Sun, 10 Jul 2016 15:12:09 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9D4461954 for ; Sun, 10 Jul 2016 15:12:07 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f51.google.com with SMTP id f93so3882077lfi.2 for ; Sun, 10 Jul 2016 08:12:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=4I8mCGXUwh1/ut6bvinlH8Cu2CkDQ8pSZejRbuCevVY=; b=jQZ5tUPZInIxiBpqEgVVH52p/NAP2gS4lvXhuJFBKKUG+QfpqJ6arLumk7ey2AG77k 7Zo2ycKiWJaho/AsfypX0fWCCp0gSbDDJyLJqm3C+uVmTRlaZc+lzxUoYMrP6J9SxhI3 cdS9YnvQhxAX3XvuGDMUfrdXUJhoQ9I97p0Mc/4emK1/9PT8QkqAJI5CBlUcobNgKrPl quVmZiaPW6K93vGNKZTrSdNpn92VfQOZzcQR0nJ/ivhtuPTkC7WpGBQxQfxnWh7bQQ7y d9TpP098T1a/KDF1YcghWKKepn1m+qVxXnJ6XKJ959wvPJSeSPa7g8LrzvJphjLtSdb8 PBGA== X-Gm-Message-State: ALyK8tJVcVZU6WrtaNh3K5FnpMsrJ00IwsvpsGt56rRCn+Nr46Jn8OnzsCmsIqfd3Yan0Q== X-Received: by 10.25.20.226 with SMTP id 95mr4130088lfu.15.1468163525533; Sun, 10 Jul 2016 08:12:05 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id o184sm3019431lfb.19.2016.07.10.08.12.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 08:12:05 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: Date: Sun, 10 Jul 2016 18:12:04 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160710150143.GK46309@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:12:09 -0000 On 10.07.2016 18:01, Slawa Olhovchenkov wrote: > On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > >> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>> I am surprised lack of support GOST in openssl-base. >>> Can be this enabled before 11.0 released? >> >> AFAIK openssl maintainers says something like they can't support this >> code and it will become rotten shortly with new changes, so they drop it. >> > > Upstream or FreeBSD maintainers? > Openssl maintainers. From owner-freebsd-security@freebsd.org Sun Jul 10 15:13:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBAD2B85582 for ; Sun, 10 Jul 2016 15:13:31 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f45.google.com (mail-lf0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 329351C5E for ; Sun, 10 Jul 2016 15:13:30 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f45.google.com with SMTP id f93so3893193lfi.2 for ; Sun, 10 Jul 2016 08:13:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=roMjL5FT54TKXE/h+o1iBDV7Ddi6/EQ/JevrRlp0zLo=; b=jd1NxdXeV196mmvc4N31wLMh5GMV9h5y4uyp6d4jJiPHVPoT6/3UakmmbLX2fRuLkz zm3ZJ4/Yuq64vp548IZTM7t6/xZe123q74g06RexzgbmbjE9JW2qnA0zxTYKCrk8cGei eTXZIM89yh70tynmV7pG8eKBRe5gh0WsCxCSxuuyfmFeM/Sj1Nt12Y7qHSK30HdUt9EY 3DsSVVPjShbz9lx8o2LoEuSBZxZ5hQsRUuOIa8rTaZmDrnKYhDUP0H8jkwNnkU3XRm24 MTqKkZ64mKxBUIkCA+pSX4LHoopbKnzySX5hkl95dbLNG21CGEp5nxNQ2ylgnkQ0xoAm YRlQ== X-Gm-Message-State: ALyK8tIRzN/62ou08OWlKGlS/2JnKYSB7SX1D1GkrJWufQCdUTTc6tIqZEbE/MfIXRSqSg== X-Received: by 10.25.38.213 with SMTP id m204mr4082106lfm.107.1468163603204; Sun, 10 Jul 2016 08:13:23 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id r132sm10269026lfr.17.2016.07.10.08.13.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 08:13:22 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> Date: Sun, 10 Jul 2016 18:13:22 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:13:31 -0000 On 10.07.2016 18:12, Andrey Chernov wrote: > On 10.07.2016 18:01, Slawa Olhovchenkov wrote: >> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: >> >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this >>> code and it will become rotten shortly with new changes, so they drop it. >>> >> >> Upstream or FreeBSD maintainers? >> > > Openssl maintainers. > I.e. upstream. From owner-freebsd-security@freebsd.org Sun Jul 10 15:28:08 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4786B85A48 for ; Sun, 10 Jul 2016 15:28:08 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7475914B4 for ; Sun, 10 Jul 2016 15:28:08 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f47.google.com with SMTP id q132so55114566lfe.3 for ; Sun, 10 Jul 2016 08:28:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=S0PE4X1hksqBZUEIJvPVd/B0ZGPlC2omVCOVIiBopoA=; b=RoYqWscoy75afT9PaKl1wajj5yJz7ITKbF9OOOXbB4TKZehZYLW8Pt4jEhMEepWVkk m3EO+5pFGbK6bAR9BP+9YAmjQ4zvCnGQIOq5tEA63R5XxnSScyDpSOth5R8MoWAxEpa0 x/9Umn/QcEASUkljublhrTbphkAKhrKhJ9eBTwmkZ4AMciZY0GUQeC5Ih3MFQMpVsqDW JIAGp6i4WKSKsoQrEc6yCj5dhbr1csY43o+ZFfxGOMoAlvXDHYmPktH/YOiaYWUEPofM rpBmz9O1xYqC3R9VmEEczKxbCEUVzxHO930czy3RlrWqofQDlabNn/P0D5atolkVfGxS 8ZQg== X-Gm-Message-State: ALyK8tIVdKKMHOpMimUULQC2jslNKxKiAYWM73P37f+V3DQDTlNpG1t1UQqVYbcYJEwyGw== X-Received: by 10.25.133.135 with SMTP id h129mr4071304lfd.28.1468164486234; Sun, 10 Jul 2016 08:28:06 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id g29sm2769493ljg.25.2016.07.10.08.28.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 08:28:05 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: Date: Sun, 10 Jul 2016 18:28:04 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:28:09 -0000 On 10.07.2016 18:13, Andrey Chernov wrote: > On 10.07.2016 18:12, Andrey Chernov wrote: >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: >>> >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>>> I am surprised lack of support GOST in openssl-base. >>>>> Can be this enabled before 11.0 released? >>>> >>>> AFAIK openssl maintainers says something like they can't support this >>>> code and it will become rotten shortly with new changes, so they drop it. >>>> >>> >>> Upstream or FreeBSD maintainers? >>> >> >> Openssl maintainers. >> > I.e. upstream. > They mean built-in one, dropped from openssl 1.1.0 and above. It is still available as 3rd party at: https://github.com/gost-engine/engine From owner-freebsd-security@freebsd.org Sun Jul 10 15:37:02 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D7D7B830F5 for ; Sun, 10 Jul 2016 15:37:02 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f45.google.com (mail-lf0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F13B61D43 for ; Sun, 10 Jul 2016 15:37:01 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f45.google.com with SMTP id f6so55228488lfg.0 for ; Sun, 10 Jul 2016 08:37:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=YDPWx4duhFl2ZhaGzgYyU++ZdRUMSvc5l1HZrlxCxkU=; b=b/vzeg8hVugyhAWxiOPWKbFE+qwPdTDTkToWbCLfvD7uZq5IvRMTxKGDoPYZJO5lK1 aKsnOffiSIemO8RPtGvt3uGQ5x8BZcHWPP2yVUVL96839khE9Q1fOPK92Kk/Nxsvg2sp LhKZ9WSsRHQCpGkTTc7LOkLcO+UrWUfRXSr35dEf4mOqYBgzXnkNLhWcP9AhLQcgRF57 hfvpMPVZ7K1k0w50u4MDTNAo5ewRSHwRFYHbeB4PxC1fAXwoqPAwMZMCvEKui9+3JADd LuvFfoHjZ7oqrHcko7OGn0CkhMbfzJ4vPJrn/vJ/u9HESHMuhIkFtwBGJUL0QHKt+jPv hTLA== X-Gm-Message-State: ALyK8tLlZhIzyXKX+Am0toQBvvMcfMC0pZ53H5vZAp3aqZh9ZthBf01vIvntvyCNZgN5pQ== X-Received: by 10.25.160.75 with SMTP id j72mr4296766lfe.109.1468165019868; Sun, 10 Jul 2016 08:36:59 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id e64sm4012408lfe.3.2016.07.10.08.36.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 08:36:59 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: <569cee41-97f5-3914-7d65-f788dd697d42@freebsd.org> Date: Sun, 10 Jul 2016 18:36:58 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:37:02 -0000 On 10.07.2016 18:28, Andrey Chernov wrote: > On 10.07.2016 18:13, Andrey Chernov wrote: >> On 10.07.2016 18:12, Andrey Chernov wrote: >>> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: >>>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: >>>> >>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>>>> I am surprised lack of support GOST in openssl-base. >>>>>> Can be this enabled before 11.0 released? >>>>> >>>>> AFAIK openssl maintainers says something like they can't support this >>>>> code and it will become rotten shortly with new changes, so they drop it. >>>>> >>>> >>>> Upstream or FreeBSD maintainers? >>>> >>> >>> Openssl maintainers. >>> >> I.e. upstream. >> > They mean built-in one, dropped from openssl 1.1.0 and above. It is > still available as 3rd party at: > https://github.com/gost-engine/engine > >From their Changelog: *) The GOST engine was out of date and therefore it has been removed. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains support for GOST ciphersuites (these are only activated if a GOST engine is present). [Matt Caswell] From owner-freebsd-security@freebsd.org Mon Jul 11 10:28:58 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FB40B386DC; Mon, 11 Jul 2016 10:28:58 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E72711604; Mon, 11 Jul 2016 10:28:57 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMYSY-0002cD-KM; Mon, 11 Jul 2016 13:29:06 +0300 Date: Mon, 11 Jul 2016 13:29:06 +0300 From: Slawa Olhovchenkov To: Andrey Chernov Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711102906.GN46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 10:28:58 -0000 On Sun, Jul 10, 2016 at 06:28:04PM +0300, Andrey Chernov wrote: > On 10.07.2016 18:13, Andrey Chernov wrote: > > On 10.07.2016 18:12, Andrey Chernov wrote: > >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote: > >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote: > >>> > >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>>> I am surprised lack of support GOST in openssl-base. > >>>>> Can be this enabled before 11.0 released? > >>>> > >>>> AFAIK openssl maintainers says something like they can't support this > >>>> code and it will become rotten shortly with new changes, so they drop it. > >>>> > >>> > >>> Upstream or FreeBSD maintainers? > >>> > >> > >> Openssl maintainers. > >> > > I.e. upstream. > > > They mean built-in one, dropped from openssl 1.1.0 and above. It is > still available as 3rd party at: > https://github.com/gost-engine/engine I.e. GOST will be available in openssl. Under BSD-like license. Can be this engine import in base system and enabled at time 1.1.0? And can be GOST enabled now? From owner-freebsd-security@freebsd.org Mon Jul 11 16:29:01 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 480E7B9206D; Mon, 11 Jul 2016 16:29:01 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 090EF138B; Mon, 11 Jul 2016 16:29:01 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMe4s-000CBo-S6; Mon, 11 Jul 2016 19:29:02 +0300 Date: Mon, 11 Jul 2016 19:29:02 +0300 From: Slawa Olhovchenkov To: Mark Felder Cc: Andrey Chernov , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711162902.GO46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 16:29:01 -0000 On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > > > On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > > > > I.e. GOST will be available in openssl. > > Under BSD-like license. > > Can be this engine import in base system and enabled at time 1.1.0? > > And can be GOST enabled now? > > > > I think the wrong question is being asked here. Instead we need to focus > on decoupling openssl from base so this can all be handled by ports. This is wrong direction with current policy. ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible between options and applications. base: supported by FreeBSD core and securite team, covered by CI, checked for forward and backward API and ABI compatibility. From owner-freebsd-security@freebsd.org Mon Jul 11 16:04:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 327C9B92A8A; Mon, 11 Jul 2016 16:04:35 +0000 (UTC) (envelope-from feld@feld.me) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 07CA018C1; Mon, 11 Jul 2016 16:04:34 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 5C97220240; Mon, 11 Jul 2016 12:04:33 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute5.internal (MEProxy); Mon, 11 Jul 2016 12:04:33 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=ljcZlULjqBfkFyWfBVMxvlaQkk8=; b=zMJ++D kjILK5dXP5CIbY8RRIfeiHDbeQbXnEFTCqcbptrdmIIIVEVRS6xspATo61mJG1gb q8AYLAUixk27OgMKELED6ydAcKqkAz98OXrdLkDTo8FGH18ISRK8b+VjDjIeoax1 L5b87viscjegYdqlfSXtLdDDHqR7v/2PDB26k= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=ljcZlULjqBfkFyW fBVMxvlaQkk8=; b=BZXla5tFf+dfxLaSZm/QQhhlFSs6XR5oa1dYAQbxQojg7eQ t/ak8/+zboo9gWINXinkQNiG/Sa1UDviWxx9zIlwvtef0L+CDdnALCQ2OjIFdd1a f6JgKxtBKdKdpxYmlpVaFd9Ui0iQD8unCDneJ5qsyslfnuZY2qRzZe9n4efE= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 29942CC6A7; Mon, 11 Jul 2016 12:04:33 -0400 (EDT) Message-Id: <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> X-Sasl-Enc: R4xyaj0UzHyjoOpyH02NTDF1g8zhXYDF7mXGU1ySLkGb 1468253073 From: Mark Felder To: Slawa Olhovchenkov , Andrey Chernov Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-f28fce62 In-Reply-To: <20160711102906.GN46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> Subject: Re: GOST in OPENSSL_BASE Date: Mon, 11 Jul 2016 11:04:33 -0500 X-Mailman-Approved-At: Mon, 11 Jul 2016 16:35:48 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 16:04:35 -0000 On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > > I.e. GOST will be available in openssl. > Under BSD-like license. > Can be this engine import in base system and enabled at time 1.1.0? > And can be GOST enabled now? > I think the wrong question is being asked here. Instead we need to focus on decoupling openssl from base so this can all be handled by ports. -- Mark Felder feld@feld.me From owner-freebsd-security@freebsd.org Mon Jul 11 16:39:38 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63A84B92AAB; Mon, 11 Jul 2016 16:39:38 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2273B1631; Mon, 11 Jul 2016 16:39:38 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1bMeF4-0006tH-Lr; Mon, 11 Jul 2016 18:39:34 +0200 Date: Mon, 11 Jul 2016 18:39:34 +0200 From: Kurt Jaeger To: Mark Felder Cc: Slawa Olhovchenkov , Andrey Chernov , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711163934.GD95302@home.opsec.eu> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> X-Mailman-Approved-At: Mon, 11 Jul 2016 16:46:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 16:39:38 -0000 Hi! > > I.e. GOST will be available in openssl. > > Under BSD-like license. > > Can be this engine import in base system and enabled at time 1.1.0? > > And can be GOST enabled now? > I think the wrong question is being asked here. Instead we need to focus > on decoupling openssl from base so this can all be handled by ports. As far as I know, GOST is a standardized crypto algo in .ru, it's suggested (required?) by the government in .ru. So, if FreeBSD does not want to alienate the .ru userbase, GOST probably should be in base. I'm not sure how difficult that would be. -- pi@opsec.eu +49 171 3101372 4 years to go ! From owner-freebsd-security@freebsd.org Mon Jul 11 16:48:54 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22C6EB92F06 for ; Mon, 11 Jul 2016 16:48:54 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f48.google.com (mail-lf0-f48.google.com [209.85.215.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BFF851D37 for ; Mon, 11 Jul 2016 16:48:53 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f48.google.com with SMTP id h129so77999558lfh.1 for ; Mon, 11 Jul 2016 09:48:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=CYVA2YsFSkLRJUbACdmTc91LJTjbebRR6nfrbMRiKoI=; b=QSw3Yf/aG4Z5Jz+6pv9WOL7RJJRCWmFPzVzctO2a3BdvnLzmukMzV1OFGGpHcWYwAu E8hyzCob4MvEip04d4q7T8DlbA8nH2WOMXvshtmppTO66GiWvU9VvfYRpcCXP5/W//Qx T7IO9UcJGEZtxQL8JsrDUBw402+nIbvwrV1E6zQRVKC9Q4TGVK61u8vtVX8wD5Tfm585 ecCrGM/wnC96AUEhjvOYuiFh8JRKgf5g4SrWj1kQoLGO0huKtBYU1HhTLyR37mDPN0Sk PJsJjjX+E1HSvpgq3eDbYhzlwwSQ7uhca58IPEvWl0Bu21O9brmFUnPZktzEMAexLE+6 Nbwg== X-Gm-Message-State: ALyK8tJhp+Mle8aaEbZ739hcYawpezNsJMY7tZc44fuJmFPQWmeQUH3PKsQKnN4TnKB/JA== X-Received: by 10.25.144.16 with SMTP id s16mr5237774lfd.8.1468255725932; Mon, 11 Jul 2016 09:48:45 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id 29sm766621lfu.43.2016.07.11.09.48.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 09:48:45 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , Mark Felder References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711162902.GO46309@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: Date: Mon, 11 Jul 2016 19:48:44 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711162902.GO46309@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 16:48:54 -0000 On 11.07.2016 19:29, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > >> >> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: >>> >>> I.e. GOST will be available in openssl. >>> Under BSD-like license. >>> Can be this engine import in base system and enabled at time 1.1.0? >>> And can be GOST enabled now? >>> >> >> I think the wrong question is being asked here. Instead we need to focus >> on decoupling openssl from base so this can all be handled by ports. > > This is wrong direction with current policy. > ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible > between options and applications. > > base: supported by FreeBSD core and securite team, covered by CI, > checked for forward and backward API and ABI compatibility. > Ports are supported by secteam, and recently I notice "headsup" mail with intention to make base openssl private and switch all ports to security/openssl port. Adding of GOST as 3rd party plugin is technically possible in both (base, ports) cases, the rest of decision is up to FreeBSD openssl maintainers and possible contributors efforts. I need to specially point to "patches" section of the 3rd party GOST plugin, from just viewing I don't understand, are those additional openssl patches should be applied to openssl for GOST, or they are just reflect existent changes in the openssl. From owner-freebsd-security@freebsd.org Mon Jul 11 17:03:09 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67534B925E7 for ; Mon, 11 Jul 2016 17:03:09 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as0.azsupport.com (azsupport.com [209.95.50.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "azsupport.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 490A01371 for ; Mon, 11 Jul 2016 17:03:08 +0000 (UTC) (envelope-from az@azsupport.com) Date: Mon, 11 Jul 2016 18:54:09 +0200 From: Andrei To: freebsd-security@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711185409.640b2d4d@azsupport.com> In-Reply-To: <20160711163934.GD95302@home.opsec.eu> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> Organization: azsupport.com X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 17:03:09 -0000 On Mon, 11 Jul 2016 18:39:34 +0200 Kurt Jaeger wrote: > As far as I know, GOST is a standardized crypto algo in .ru, it's > suggested (required?) by the government in .ru. So, if FreeBSD does > not want to alienate the .ru userbase, GOST probably should be in > base. > > I'm not sure how difficult that would be. Care about russian terrorists government? About Putin? No, thanks! From owner-freebsd-security@freebsd.org Mon Jul 11 17:09:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49B9BB927FA for ; Mon, 11 Jul 2016 17:09:45 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f49.google.com (mail-lf0-f49.google.com [209.85.215.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD4D318AA for ; Mon, 11 Jul 2016 17:09:44 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f49.google.com with SMTP id q132so78338600lfe.3 for ; Mon, 11 Jul 2016 10:09:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=4nL0cpaEwVlul0fZ7tP4G10KR4x4mzBGIJTcahAG9TU=; b=Wg7dYC1b0yQlz5xhKNVkfUncI2gdQdC3jH3UnU+Rm5Ta+uY32SQxsMgT4GGChrFvOE 5LGXZR/I9syaTd3sYqWP58rANEaWjZ8kAFxbErmJyYgNYMT3xDpvukj83WzeFFoqHfEq bmhehN4f9y5M4owfUGf+mNYwmc/NeoD7IAnfa9YlrlCCaFQkTln/xo8hGj1fCO88HdxT uiuyzG4utmlJAfBhrFrLaLqWb5n/5BcJHnQvzNTLC9H/F+evyS/2LI+v4PedM34AWvSJ T/xAUgVMa2L8HH4q9Fh4CGAOr+pMFrQXT+pgcYriVeJ+h8Jo4eTxG2dF+aU2gLTYqgmi qGIQ== X-Gm-Message-State: ALyK8tKMP3nvQn2J9odrA0/OzWYQ0u1idzUImDvAuW7wiIRpLFy6xeTB3JW5OujZEwgLog== X-Received: by 10.25.160.135 with SMTP id j129mr5148362lfe.231.1468256976788; Mon, 11 Jul 2016 10:09:36 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id s87sm11271913lfg.46.2016.07.11.10.09.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 10:09:36 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Andrei , freebsd-security@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> From: Andrey Chernov Message-ID: Date: Mon, 11 Jul 2016 20:09:35 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711185409.640b2d4d@azsupport.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 17:09:45 -0000 On 11.07.2016 19:54, Andrei wrote: > On Mon, 11 Jul 2016 18:39:34 +0200 > Kurt Jaeger wrote: > >> As far as I know, GOST is a standardized crypto algo in .ru, it's >> suggested (required?) by the government in .ru. So, if FreeBSD does >> not want to alienate the .ru userbase, GOST probably should be in >> base. >> >> I'm not sure how difficult that would be. > Care about russian terrorists government? About Putin? No, thanks! Unfortunately, it affects normal people and organizations here, including internet providers f.e. and not affects Putin or government in any way. Documents workflow require digital signatures by GOST. From owner-freebsd-security@freebsd.org Mon Jul 11 17:34:44 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E316FB92426 for ; Mon, 11 Jul 2016 17:34:44 +0000 (UTC) (envelope-from sergej.schmidt@uni-ulm.de) Received: from smtp.uni-ulm.de (smtp.uni-ulm.de [134.60.1.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.uni-ulm.de", Issuer "Global-Uni-Ulm-CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A1351197 for ; Mon, 11 Jul 2016 17:34:44 +0000 (UTC) (envelope-from sergej.schmidt@uni-ulm.de) X-Virus-Scanned: amavisd-new at uni-ulm.de Received: from [192.168.0.103] (HSI-KBW-046-005-253-079.hsi8.kabel-badenwuerttemberg.de [46.5.253.79]) (authenticated bits=0) by mail.uni-ulm.de (8.14.9/8.14.9) with ESMTP id u6BHW7t0018834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Mon, 11 Jul 2016 19:32:07 +0200 (CEST) Subject: Re: GOST in OPENSSL_BASE To: freebsd-security@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> From: Sergej Schmidt Message-ID: Date: Mon, 11 Jul 2016 19:32:08 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SA744KqGsFpR6A7nvb31PVGgfODD90oAJ" X-DCC-sonic.net-Metrics: poseidon 1156; Body=1 Fuz1=1 Fuz2=1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 17:34:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SA744KqGsFpR6A7nvb31PVGgfODD90oAJ Content-Type: multipart/mixed; boundary="1xH3MxC8R1FnDDx3QK8vQa5007mcTF7TS" From: Sergej Schmidt To: freebsd-security@freebsd.org Message-ID: Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> In-Reply-To: --1xH3MxC8R1FnDDx3QK8vQa5007mcTF7TS Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/11/2016 07:09 PM, Andrey Chernov wrote: > On 11.07.2016 19:54, Andrei wrote: >> On Mon, 11 Jul 2016 18:39:34 +0200 >> Kurt Jaeger wrote: >> >>> As far as I know, GOST is a standardized crypto algo in .ru, it's >>> suggested (required?) by the government in .ru. So, if FreeBSD does >>> not want to alienate the .ru userbase, GOST probably should be in >>> base. >>> >>> I'm not sure how difficult that would be. >> Care about russian terrorists government? About Putin? No, thanks! Wtf is this? This is an international community and this list is read across the world. There's no place for your political beliefs. Especially when expressed in such manner. Please keep it to yourself. > Unfortunately, it affects normal people and organizations here, > including internet providers f.e. and not affects Putin or government i= n > any way. Documents workflow require digital signatures by GOST. --1xH3MxC8R1FnDDx3QK8vQa5007mcTF7TS-- --SA744KqGsFpR6A7nvb31PVGgfODD90oAJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXg9gZAAoJEHHUMn9UstdDLxoP/00dJnSWkR0w1GCdmnzibxO7 SKtr9z0DNYcUXm+HX+SglggLm+0KHwDN9MQd8AOuKYnKUZWftboQ7Rq/BjzMXzwC 8c6AaPIS8dhIZCwCuJONAmQOKPs1KujcMlLcFVfVapIjkBRS5xyyUwCXF+qCsXzW 7F79D1Y0rcolfKgg0uFE8QlhYVa1AqeMis6F22+RoFATMcFGnBToRUEYmnotCamR q7ZCwC9zDwzknxRrc1DcjDVtHnrU+nZKkcWor8fjvzW+B2Tdh1YZCtFHHS1+UOGj gUg6bJfBYhrnzf144YVymwaws0b2Rx9EYXGobmpcb5jU9CyOSWzGeK9CmUNFXL0F puByaSh3ENdxXLe384iZNhs30cjzUBjKx+e0hq9XrkFTOpSK8HWX1+xGqmyC5gbj 0qRodqcaeqVO0QFEimadMo+XDs8Fph1SjbrMTeRHIZy46Sqsh80lyiLa5+tWCkgI gjj6anME9jK9mds196wx7ZUEx8YbdDNrHDyM8MvnUcduS0hQrWwXOpaL4/XGd7o8 X8BHbYXWqYd3ZU/3eDgZb22Nk6+qahPBqklYl6lYCw/zf6U6hi2PKeNwjUQeHpZQ 7JyV7zQ91WtpxskcOyLSPgNFvSxtUnCPMQPmmegGOIzVCJZC0IM8dP1gRJEsMRnx 7S2W/H9OS9Sg5Xbzd9lN =sXWL -----END PGP SIGNATURE----- --SA744KqGsFpR6A7nvb31PVGgfODD90oAJ-- From owner-freebsd-security@freebsd.org Mon Jul 11 18:08:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12423B92F8A for ; Mon, 11 Jul 2016 18:08:31 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as0.azsupport.com (azsupport.com [209.95.50.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "azsupport.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5C061AF2 for ; Mon, 11 Jul 2016 18:08:30 +0000 (UTC) (envelope-from az@azsupport.com) Date: Mon, 11 Jul 2016 20:07:54 +0200 From: Andrei To: freebsd-security@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711200754.5abf2ae3@azsupport.com> In-Reply-To: References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> Organization: azsupport.com X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 18:08:31 -0000 On Mon, 11 Jul 2016 20:09:35 +0300 Andrey Chernov wrote: > >> As far as I know, GOST is a standardized crypto algo in .ru, it's > >> suggested (required?) by the government in .ru. So, if FreeBSD does > >> not want to alienate the .ru userbase, GOST probably should be in > >> base. > >> > >> I'm not sure how difficult that would be. =20 > > Care about russian terrorists government? About Putin? No, thanks! =20 >=20 > Unfortunately, it affects normal people and organizations here, > including internet providers f.e. and not affects Putin or government > in any way. Documents workflow require digital signatures by GOST. =46rom 20 Jule of this year "organizers of information distribution on the In= ternet" in Russia must have ability to decrypt all traffic by "Yarovaya law". "There's another important amendment aimed at =E2=80=9Corganizers of inform= ation distribution on the Internet=E2=80=9D: if an online service=E2=80=94a messe= nger app, a social network, an email client, or even just a website=E2=80=94encrypts its data,= its owners will be required to help the Federal Security Service decipher any message sent by its users. The fine for refusing to cooperate can be as high as a million rubles (more than $15,000)." https://meduza.io/en/feature/2016/06/24/russia-s-state-duma-just-approved-s= ome-of-the-most-repressive-laws-in-post-soviet-history http://www.ibtimes.com/russian-anti-terrorism-law-signed-amid-business-huma= n-rights-outcry-how-big-brother-2389849 Maybe russian GOST made with options to decrypt.. Nice backdoor from FSB? ;= )=20 > Wtf is this? This is an international community and this list is read > across the world. There's no place for your political beliefs. > Especially when expressed in such manner. Please keep it to yourself. I will write what I want. I'm live in democratic country, not in Russia. From owner-freebsd-security@freebsd.org Mon Jul 11 18:28:53 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17584B924A9; Mon, 11 Jul 2016 18:28:53 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 99F071673; Mon, 11 Jul 2016 18:28:52 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: GOST in OPENSSL_BASE To: Andrey Chernov , Slawa Olhovchenkov , freebsd-security@freebsd.org, freebsd-current@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> From: Jung-uk Kim Message-ID: Date: Mon, 11 Jul 2016 14:28:45 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ax3pEeGLHHXTLwxqTqo8c1xK9bkG3WhKr" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 18:28:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ax3pEeGLHHXTLwxqTqo8c1xK9bkG3WhKr Content-Type: multipart/mixed; boundary="t2nSoJ2UCJvOCFfhw4hVxaT4grHXawN9A" From: Jung-uk Kim To: Andrey Chernov , Slawa Olhovchenkov , freebsd-security@freebsd.org, freebsd-current@freebsd.org Message-ID: Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> In-Reply-To: --t2nSoJ2UCJvOCFfhw4hVxaT4grHXawN9A Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/10/16 10:10 AM, Andrey Chernov wrote: > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >> I am surprised lack of support GOST in openssl-base. >> Can be this enabled before 11.0 released? >=20 > AFAIK openssl maintainers says something like they can't support this > code and it will become rotten shortly with new changes, so they drop i= t. [OpenSSL-maintainer-for-the-base hat on] GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on these branches unless secteam explicitly ask us to do so. However, we *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. [OpenSSL-maintainer-for-the-base hat off] Jung-uk Kim --t2nSoJ2UCJvOCFfhw4hVxaT4grHXawN9A-- --Ax3pEeGLHHXTLwxqTqo8c1xK9bkG3WhKr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXg+VdAAoJEHyflib82/FGBqoH/A2FKBPIXcNa5BuYblQqSa6F Efhz6zDkRjvlv6RUtKdfFeOcCLJqjtANpw3gaxw3ZmEBdGi3g9a9jswIxrHsRZHn OLlrP6KaCfUnu9BDF+Gj59c2eikkDdChyVv+EYnalrUFN4msq/7byUxAVpPfjts3 H9VBb/CKk5ryxcCh8VtybpY1WzEL9ij3BIHkAAxtWrVIkhFnjhdvuiLkgXChmx/i CaoGqVHrE5ROVJHwjiDNHkTpN9n59C4W1Ljkw68aS6oRNYWGEcMLyfSsdJ7ng3B6 wcbvesohte76d8tRsPgH/c1ZveRIDl26R/GC3hmJNlAEEDaNKRSh8zPxP9opV08= =hdVV -----END PGP SIGNATURE----- --Ax3pEeGLHHXTLwxqTqo8c1xK9bkG3WhKr-- From owner-freebsd-security@freebsd.org Mon Jul 11 18:41:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DFAEB92B19; Mon, 11 Jul 2016 18:41:15 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1294911E0; Mon, 11 Jul 2016 18:41:15 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMg8w-000FT8-Vr; Mon, 11 Jul 2016 21:41:23 +0300 Date: Mon, 11 Jul 2016 21:41:22 +0300 From: Slawa Olhovchenkov To: Jung-uk Kim Cc: Andrey Chernov , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711184122.GP46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 18:41:15 -0000 On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > On 07/10/16 10:10 AM, Andrey Chernov wrote: > > On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >> I am surprised lack of support GOST in openssl-base. > >> Can be this enabled before 11.0 released? > > > > AFAIK openssl maintainers says something like they can't support this > > code and it will become rotten shortly with new changes, so they drop it. > > [OpenSSL-maintainer-for-the-base hat on] > > GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > these branches unless secteam explicitly ask us to do so. However, we > *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > > [OpenSSL-maintainer-for-the-base hat off] > > Jung-uk Kim > Thanks! May be need file PR for dns/bind910? # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile .include .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ that needs SSL. .endif From owner-freebsd-security@freebsd.org Mon Jul 11 19:00:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E3F9B92273; Mon, 11 Jul 2016 19:00:45 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A648D1F5A; Mon, 11 Jul 2016 19:00:44 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> Cc: Andrey Chernov , Mathieu Arnold , FreeBSD-current , freebsd-security From: Jung-uk Kim Message-ID: Date: Mon, 11 Jul 2016 15:00:39 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160711184122.GP46309@zxy.spb.ru> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lltlppxNlMO90TBfKxss3RoASxqmhXSxg" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 19:00:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lltlppxNlMO90TBfKxss3RoASxqmhXSxg Content-Type: multipart/mixed; boundary="FG8GOdFswa7RWPDvlkjjOQbh245VwOePp" From: Jung-uk Kim To: Slawa Olhovchenkov Cc: Andrey Chernov , Mathieu Arnold , FreeBSD-current , freebsd-security Message-ID: Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> In-Reply-To: <20160711184122.GP46309@zxy.spb.ru> --FG8GOdFswa7RWPDvlkjjOQbh245VwOePp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: >=20 >> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this= >>> code and it will become rotten shortly with new changes, so they drop= it. >> >> [OpenSSL-maintainer-for-the-base hat on] >> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >> these branches unless secteam explicitly ask us to do so. However, we= >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >> >> [OpenSSL-maintainer-for-the-base hat off] >> >> Jung-uk Kim >> >=20 > Thanks! >=20 > May be need file PR for dns/bind910? >=20 > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > .include >=20 > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DE= FAULT} =3D=3D base > BROKEN=3D OpenSSL from the base system does not support GOST, add \ > DEFAULT_VERSIONS+=3Dssl=3Dopenssl to your /etc/make.conf and re= build everything \ > that needs SSL. > .endif FreeBSD 9.3 is still supported but GOST is not available there. It seems the ports maintainer didn't want to break it on 9.3 (CC added). Version check may be needed there. Jung-uk Kim --FG8GOdFswa7RWPDvlkjjOQbh245VwOePp-- --lltlppxNlMO90TBfKxss3RoASxqmhXSxg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXg+zYAAoJEHyflib82/FGqUcH/3BZje39Cz/9CWG8hDkE21w6 +o5lBJadM+rM0+7zCpfcCZ5FGJ/+IqGW/HWIjS1HyfkUrCouMU7dkYBEm1S/Lgfh lZge8AjUi1hgnwyUsJpEAtsCmH4d+t+IVZuJIjuLCv3qqsXsgughq1ql55yxJDx4 woFyFo/5VXgZeapNcXPyVpdV8EXcSGiqgUIH/qIXcjOFeZgtfN8GnPCXFAe2zYZQ r+rNJpgQ8plZtSTYJeMCEo40qcqxGO4uFwIbhBVODjvt79PH0ZuKQeosSRo0AN7I 6bStkQAjSH73En9mJaQ/mAMroiOH7XpNpWVt2iuirO72bgWCgeUlsTKr+8eH7vU= =g93h -----END PGP SIGNATURE----- --lltlppxNlMO90TBfKxss3RoASxqmhXSxg-- From owner-freebsd-security@freebsd.org Mon Jul 11 19:55:51 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C82D1B92227; Mon, 11 Jul 2016 19:55:51 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 89FBA13BB; Mon, 11 Jul 2016 19:55:51 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMhJA-000HP0-7r; Mon, 11 Jul 2016 22:56:00 +0300 Date: Mon, 11 Jul 2016 22:56:00 +0300 From: Slawa Olhovchenkov To: Jung-uk Kim Cc: Andrey Chernov , Mathieu Arnold , FreeBSD-current , freebsd-security Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711195600.GQ46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 19:55:51 -0000 On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: > On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote: > > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > > > >> On 07/10/16 10:10 AM, Andrey Chernov wrote: > >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>> I am surprised lack of support GOST in openssl-base. > >>>> Can be this enabled before 11.0 released? > >>> > >>> AFAIK openssl maintainers says something like they can't support this > >>> code and it will become rotten shortly with new changes, so they drop it. > >> > >> [OpenSSL-maintainer-for-the-base hat on] > >> > >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > >> these branches unless secteam explicitly ask us to do so. However, we > >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > >> > >> [OpenSSL-maintainer-for-the-base hat off] > >> > >> Jung-uk Kim > >> > > > > Thanks! > > > > May be need file PR for dns/bind910? > > > > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > > .include > > > > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base > > BROKEN= OpenSSL from the base system does not support GOST, add \ > > DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ > > that needs SSL. > > .endif > > FreeBSD 9.3 is still supported but GOST is not available there. It Thanks for clarifications. > seems the ports maintainer didn't want to break it on 9.3 (CC added). > Version check may be needed there. Thanks! > Jung-uk Kim > From owner-freebsd-security@freebsd.org Mon Jul 11 20:13:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BFBDB92C94; Mon, 11 Jul 2016 20:13:41 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D71110FA; Mon, 11 Jul 2016 20:13:41 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bMhaQ-000Hpm-MN; Mon, 11 Jul 2016 23:13:50 +0300 Date: Mon, 11 Jul 2016 23:13:50 +0300 From: Slawa Olhovchenkov To: Andrey Chernov Cc: Mark Felder , freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160711201350.GF20831@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711162902.GO46309@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 20:13:41 -0000 On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote: > On 11.07.2016 19:29, Slawa Olhovchenkov wrote: > > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > > > >> > >> > >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: > >>> > >>> I.e. GOST will be available in openssl. > >>> Under BSD-like license. > >>> Can be this engine import in base system and enabled at time 1.1.0? > >>> And can be GOST enabled now? > >>> > >> > >> I think the wrong question is being asked here. Instead we need to focus > >> on decoupling openssl from base so this can all be handled by ports. > > > > This is wrong direction with current policy. > > ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible > > between options and applications. > > > > base: supported by FreeBSD core and securite team, covered by CI, > > checked for forward and backward API and ABI compatibility. > > > > Ports are supported by secteam, and recently I notice "headsup" mail > with intention to make base openssl private and switch all ports to > security/openssl port. I mean `support` is commit reviewing, auditing and etc. Secteam do it for ports? > Adding of GOST as 3rd party plugin is technically possible in both > (base, ports) cases, the rest of decision is up to FreeBSD openssl > maintainers and possible contributors efforts. > > I need to specially point to "patches" section of the 3rd party GOST > plugin, from just viewing I don't understand, are those additional > openssl patches should be applied to openssl for GOST, or they are just > reflect existent changes in the openssl. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Mon Jul 11 22:01:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DB68B923A8 for ; Mon, 11 Jul 2016 22:01:29 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f48.google.com (mail-lf0-f48.google.com [209.85.215.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF2431A44 for ; Mon, 11 Jul 2016 22:01:28 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f48.google.com with SMTP id q132so83215916lfe.3 for ; Mon, 11 Jul 2016 15:01:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Vn1rQHeH+UEOOCE1Pml6pfKW1p7+kaZgZCzsfVqPalY=; b=ZAr5ZZNdcjhyytzeh29PI4uMhFWzLDkc4LM0jtYwc+oq/p2xkwJT+q1z/yic1RNrQn s9tRCqJr1Iuy99vt1STIZjRXO/dR9KOB0iomoK8zTZlRhu0So2QwvZdg+MtdqfyGu4rv 9v4PwQEeBk9SYBve4NM/JoRxzHveJKdg2cW1loa40/e8ygB9+G1tb1OZGrzs4Ig0pcUY Z0v7C9KLk9xVK7+GRoRe9z5xyYHx0cAuV15O5PgSXRc2UITYK7VwMFnGEpA7Mw7++qkv bQwuyZWZ8Nl0Ey57HhOxbvp1MK9bOrT5p15xLVXnGCKxmhV6Cs2Lcn0+xOBdR/qsMTBF zSWg== X-Gm-Message-State: ALyK8tLB/UrHC2hJ6S6y4i+YFECZK7cZXxvBWFJbafok3lnjXmMDpnuO991mJ6Szh1Ngng== X-Received: by 10.25.43.202 with SMTP id r193mr5499263lfr.80.1468274486598; Mon, 11 Jul 2016 15:01:26 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id u77sm5049754lja.18.2016.07.11.15.01.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 15:01:26 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711162902.GO46309@zxy.spb.ru> <20160711201350.GF20831@zxy.spb.ru> Cc: Mark Felder , freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: <6f8ff1e9-9358-17cb-aca5-ad3abef6b616@freebsd.org> Date: Tue, 12 Jul 2016 01:01:24 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711201350.GF20831@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 22:01:29 -0000 On 11.07.2016 23:13, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote: > >> On 11.07.2016 19:29, Slawa Olhovchenkov wrote: >>> On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: >>> >>>> >>>> >>>> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: >>>>> >>>>> I.e. GOST will be available in openssl. >>>>> Under BSD-like license. >>>>> Can be this engine import in base system and enabled at time 1.1.0? >>>>> And can be GOST enabled now? >>>>> >>>> >>>> I think the wrong question is being asked here. Instead we need to focus >>>> on decoupling openssl from base so this can all be handled by ports. >>> >>> This is wrong direction with current policy. >>> ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible >>> between options and applications. >>> >>> base: supported by FreeBSD core and securite team, covered by CI, >>> checked for forward and backward API and ABI compatibility. >>> >> >> Ports are supported by secteam, and recently I notice "headsup" mail >> with intention to make base openssl private and switch all ports to >> security/openssl port. > > I mean `support` is commit reviewing, auditing and etc. > Secteam do it for ports? At least CVEs are tracked. You better ask about whole list of ports secteam duties secteam themselves. > >> Adding of GOST as 3rd party plugin is technically possible in both >> (base, ports) cases, the rest of decision is up to FreeBSD openssl >> maintainers and possible contributors efforts. >> >> I need to specially point to "patches" section of the 3rd party GOST >> plugin, from just viewing I don't understand, are those additional >> openssl patches should be applied to openssl for GOST, or they are just >> reflect existent changes in the openssl. >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Mon Jul 11 22:35:43 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9091B92B4E for ; Mon, 11 Jul 2016 22:35:43 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 463A31BFC for ; Mon, 11 Jul 2016 22:35:42 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f51.google.com with SMTP id b199so1622333lfe.0 for ; Mon, 11 Jul 2016 15:35:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=H3KEtWkaVb2ASYIsjA2McuG5x3PfOKn4dcj7p3KHA/o=; b=U48pIbBM5nxFvE0xxyQsydHw0a4QS6kLPrT1Cn9hE4Htb+DyKMHRiWEokmFLyJ0Y7y R1eqZnKniyOYtKZLZ4t6yeZ+iSHqXhe652iGCyGgJzltaKA5QzMep8YlcQPzMaQOyJax ScdBA3fbgXYXVGi9z/FmFrdfpSksw8GIZV+3zE01E0T2t9CZVrA/s0J1SocP8G5YHQq9 3rhqKr0Or3xoJ8o/12f3bpJXxs9+CyfiYKFGWWWNDTyBfYjfDRJlAQI9ZQzzYq2HDRJq izPCal5MGlA3R3wR0GZXJIlwTwv7ji09RtZeDgVZ55IFfn7dkN6Q3Imk94sLiCO7lI1L Y4aQ== X-Gm-Message-State: ALyK8tLzVjQJoIUJBAlZmvGxbBujhmGdfMSpzef3PbGbcCkXpMpAe52uUIYUfeaGimvekg== X-Received: by 10.46.1.222 with SMTP id f91mr282149lji.1.1468276535018; Mon, 11 Jul 2016 15:35:35 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id o7sm5344415lfg.45.2016.07.11.15.35.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 15:35:34 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Andrei , freebsd-security@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> <20160711200754.5abf2ae3@azsupport.com> From: Andrey Chernov Message-ID: <15c796c8-6512-da19-7155-81fc4a1bb424@freebsd.org> Date: Tue, 12 Jul 2016 01:35:33 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711200754.5abf2ae3@azsupport.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 22:35:43 -0000 On 11.07.2016 21:07, Andrei wrote: > On Mon, 11 Jul 2016 20:09:35 +0300 > Andrey Chernov wrote: >> Unfortunately, it affects normal people and organizations here, >> including internet providers f.e. and not affects Putin or government >> in any way. Documents workflow require digital signatures by GOST. > Maybe russian GOST made with options to decrypt.. Nice backdoor from FSB? ;) Official documents workflow use GOST signatures for authenticity and consistency verification, so there is no harm to have FSB backdoor in the algo, unless some hacker will find it. Just don't use GOST for something else to stay on safe side. BTW, latest GOST based on elliptic curves, so from math point of view probability of having backdoor here is minimal. See https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012 You can consider GOST goals are the same as FIPS ones with the reason to have things "domestically produced". From owner-freebsd-security@freebsd.org Mon Jul 11 22:45:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7ADADB92EF4 for ; Mon, 11 Jul 2016 22:45:04 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f43.google.com (mail-lf0-f43.google.com [209.85.215.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0A98E13A6 for ; Mon, 11 Jul 2016 22:45:03 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f43.google.com with SMTP id q132so83755035lfe.3 for ; Mon, 11 Jul 2016 15:45:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=oPoEGqCrjGt3O2w62mwp01AlqNc7C1hBzT1GhIUkhZU=; b=TI/Y5LJraUCYG4gWAkmpUFxHrahDXTciQiaxgdx1ac1zGMdi7t6QZ9p8Wn5QBkdHOy vmd0has+UX7naqxn0WJUuR3naCofJhrYL4lj2hZp7XjYxy0A1T91WvCBOP742tybQ92s JzXSOAWayL2WNoYoSI5oopeUWDWv935T0UNeQm0Xj0uRcNp7YT4wToONWm9jgkus3jv/ ezwxdeDAB1AEJnGmFWvMMkcYLzXNNRWn61oXuzUqJcH+jjgui0pkHzrJsLhhy1KvEUHi OngaMpcJtwhmhsZb/99ua/8ZH20RUF67E/BHI+3MSeSCtxcbajxaLWJghrsGN8J2wzwN N+yw== X-Gm-Message-State: ALyK8tKPKU7K9fYK2o36rn8DSVbUpO4jO9ApDhHw/2gLog1xe87ys2yHREuTTRiwAMgChw== X-Received: by 10.46.1.67 with SMTP id 64mr4675933ljb.22.1468277096135; Mon, 11 Jul 2016 15:44:56 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id h62sm1664273lji.28.2016.07.11.15.44.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 15:44:55 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , Jung-uk Kim References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> Date: Tue, 12 Jul 2016 01:44:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711184122.GP46309@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 22:45:04 -0000 On 11.07.2016 21:41, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>> I am surprised lack of support GOST in openssl-base. >>>> Can be this enabled before 11.0 released? >>> >>> AFAIK openssl maintainers says something like they can't support this >>> code and it will become rotten shortly with new changes, so they drop it. >> >> [OpenSSL-maintainer-for-the-base hat on] >> >> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >> these branches unless secteam explicitly ask us to do so. However, we >> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >> >> [OpenSSL-maintainer-for-the-base hat off] >> >> Jung-uk Kim >> > > Thanks! > > May be need file PR for dns/bind910? > > # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > .include > > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base > BROKEN= OpenSSL from the base system does not support GOST, add \ > DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ > that needs SSL. > .endif > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC don't use GOST, so I vote for removing GOST option from there. From owner-freebsd-security@freebsd.org Mon Jul 11 22:52:04 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB112B92224 for ; Mon, 11 Jul 2016 22:52:04 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com [209.85.215.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59BD419C5 for ; Mon, 11 Jul 2016 22:52:03 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f41.google.com with SMTP id q132so83834215lfe.3 for ; Mon, 11 Jul 2016 15:52:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=2A9gF/l8qajVo/cG0TsptQqoOUCLuhXgiSzdmvunXf0=; b=TQv4PMN1+9PGeUAyEPzOSLAZXAujP7bWX0UbX4WH/YubumQGnOkIMtQxL5L9wROs6G m4YwPiwOkYc/ssDECkDNY2SjHa3HWgl685Htb+BIdoLq4n6jvhSaPPWe+qPD4CUlorCi 3D5OWEwa+XERH+dJTe9gsRONZpKv5d4xMr+5FoLgm9gh8TZB2itHkCFq9TgcxNJv5bRk 0e2tULia+8pCDTdscICzSrb/R9HBxUM6lICv5y/jdWgopAc6x3lb03rgpEeu+lrlpcWS 1FqUN0B/ZVWKtaBwwOitJHK1pNgumxjezhFg/sh5EIZsb1ZIz9b09n9DRkbrYcdGsYpN EH2Q== X-Gm-Message-State: ALyK8tLs8KILNKAvo5vexez8koIys+kOukMsXK7/YEKaDaClWRV+MzKf2H/5Ew4BS/zIyA== X-Received: by 10.25.216.106 with SMTP id p103mr5476928lfg.226.1468277516245; Mon, 11 Jul 2016 15:51:56 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id h36sm2639412ljh.23.2016.07.11.15.51.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 15:51:55 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , Jung-uk Kim References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: Date: Tue, 12 Jul 2016 01:51:54 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 22:52:04 -0000 On 12.07.2016 1:44, Andrey Chernov wrote: > On 11.07.2016 21:41, Slawa Olhovchenkov wrote: >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: >> >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: >>>>> I am surprised lack of support GOST in openssl-base. >>>>> Can be this enabled before 11.0 released? >>>> >>>> AFAIK openssl maintainers says something like they can't support this >>>> code and it will become rotten shortly with new changes, so they drop it. >>> >>> [OpenSSL-maintainer-for-the-base hat on] >>> >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on >>> these branches unless secteam explicitly ask us to do so. However, we >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. >>> >>> [OpenSSL-maintainer-for-the-base hat off] >>> >>> Jung-uk Kim >>> >> >> Thanks! >> >> May be need file PR for dns/bind910? >> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile >> .include >> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base >> BROKEN= OpenSSL from the base system does not support GOST, add \ >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ >> that needs SSL. >> .endif >> > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > don't use GOST, so I vote for removing GOST option from there. > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: https://tools.ietf.org/html/rfc5933 but nobody really use it. From owner-freebsd-security@freebsd.org Tue Jul 12 08:17:13 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95877B92863 for ; Tue, 12 Jul 2016 08:17:13 +0000 (UTC) (envelope-from sergej.schmidt@uni-ulm.de) Received: from smtp.uni-ulm.de (smtp.uni-ulm.de [134.60.1.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.uni-ulm.de", Issuer "Global-Uni-Ulm-CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E4CD1A88 for ; Tue, 12 Jul 2016 08:17:12 +0000 (UTC) (envelope-from sergej.schmidt@uni-ulm.de) X-Virus-Scanned: amavisd-new at uni-ulm.de Received: from [134.60.168.167] (eduroam168-167.wlan.uni-ulm.de [134.60.168.167]) (authenticated bits=0) by mail.uni-ulm.de (8.14.9/8.14.9) with ESMTP id u6C7CcL3009112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Tue, 12 Jul 2016 09:12:39 +0200 (CEST) Subject: Re: GOST in OPENSSL_BASE To: freebsd-security@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> <20160711200754.5abf2ae3@azsupport.com> From: Sergej Schmidt Message-ID: <74eb916c-60f8-5505-3922-cc6d9de0343d@uni-ulm.de> Date: Tue, 12 Jul 2016 09:12:45 +0200 MIME-Version: 1.0 In-Reply-To: <20160711200754.5abf2ae3@azsupport.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="w3sC3b74PUxWX2hdhiwjj2FAMQ7JKpbkc" X-DCC--Metrics: poseidon 1102; Body=1 Fuz1=1 Fuz2=1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 08:17:13 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --w3sC3b74PUxWX2hdhiwjj2FAMQ7JKpbkc Content-Type: multipart/mixed; boundary="6WfUg7tEKFa5qhLHv6rjg7QAmOV4ewSLi" From: Sergej Schmidt To: freebsd-security@freebsd.org Message-ID: <74eb916c-60f8-5505-3922-cc6d9de0343d@uni-ulm.de> Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> <20160711200754.5abf2ae3@azsupport.com> In-Reply-To: <20160711200754.5abf2ae3@azsupport.com> --6WfUg7tEKFa5qhLHv6rjg7QAmOV4ewSLi Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07/11/2016 08:07 PM, Andrei wrote: > On Mon, 11 Jul 2016 20:09:35 +0300 > Andrey Chernov wrote: > >>>> As far as I know, GOST is a standardized crypto algo in .ru, it's >>>> suggested (required?) by the government in .ru. So, if FreeBSD does >>>> not want to alienate the .ru userbase, GOST probably should be in >>>> base. >>>> >>>> I'm not sure how difficult that would be. =20 >>> Care about russian terrorists government? About Putin? No, thanks! =20 >> Unfortunately, it affects normal people and organizations here, >> including internet providers f.e. and not affects Putin or government >> in any way. Documents workflow require digital signatures by GOST. > From 20 Jule of this year "organizers of information distribution on th= e Internet" > in Russia must have ability to decrypt all traffic by "Yarovaya law". > > "There's another important amendment aimed at =E2=80=9Corganizers of in= formation > distribution on the Internet=E2=80=9D: if an online service=E2=80=94a m= essenger app, a social > network, an email client, or even just a website=E2=80=94encrypts its d= ata, its > owners will be required to help the Federal Security Service decipher a= ny > message sent by its users. The fine for refusing to cooperate can be as= high > as a million rubles (more than $15,000)." > https://meduza.io/en/feature/2016/06/24/russia-s-state-duma-just-approv= ed-some-of-the-most-repressive-laws-in-post-soviet-history > http://www.ibtimes.com/russian-anti-terrorism-law-signed-amid-business-= human-rights-outcry-how-big-brother-2389849 > > Maybe russian GOST made with options to decrypt.. Nice backdoor from FS= B? ;) Many of constrains in that text excerpt apply also not only to Russia but US, the country I live in and many other European countries too. If you only look for stuff you want to find you wont see the rest. You maybe should look up which cooperation your country's citizens/businesses have to do when forced by law enforcement. Btw, I am at least roughly aware of Russia's advances in law enforcement.= > =20 > >> Wtf is this? This is an international community and this list is read >> across the world. There's no place for your political beliefs. >> Especially when expressed in such manner. Please keep it to yourself. > I will write what I want. I'm live in democratic country, not in Russia= =2E This is not about freedom of speech in a democracy. Screaming your weird opinion in an insulting way is not a unique characteristic to a democracy, it's one for a Trump rally. This is simply the wrong place for it, especially considering the tone. It's the "Freebsd-Security"-list. That was my whole point. However I am happy to see I am the only one taking this serious and others having a productive conversation. I see you are a person not to reason with so I will do others here a favor and stop discussing this. --6WfUg7tEKFa5qhLHv6rjg7QAmOV4ewSLi-- --w3sC3b74PUxWX2hdhiwjj2FAMQ7JKpbkc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXhJhtAAoJEHHUMn9UstdDZf4P/2pINq0dmCk7s1XPE4yME7wD tBnv9Fo9LkxsxjI1F6KLXTXjbD92LbU+cET6W6IyES0QdC/qBaiVk0hzOswtQrIv ZmqNVaOADAXBlLufJ/wRQRy9fyuI2SLhcw+8kER3bgyuVtNAWffDmXYD7WGMB2tM 324Kz4qGCLK6OJ78+WkIbLlJYHCQsCzknwaRpu26coyKIIrF5s3ntbukNJa1yIPz ZaRfYJVCjj+JCZ8GiPSMbZ3g05M525+kGP4uqBG3/RPNA06LOn4LNFTWHEX5sU7o RwbbC1qxEHS/vJYVEz1j/ltQL/ECNEVuxHo5Z3QOYNW/ve4VKnOfJ2p5PJZfSeYo SSd5WZzRccrATio1GPOVLoy9vjOfQw1FM97D8OG46dfRkF9LrFbuAbM96X5eYm4i HbGUMD7WSEtxJiR744PAlG6uITbzlmOGCUyjAlxP/dMklXe5V30yU8AC+37V4d7U kAzBkCeLXcuWIsoHIKG2R4k6A8+9utlmd01jrGDvdezzCpIP3yfeAFyd6mju1phC MpYpqGSH7DY4XEecDu0a3axNnhNXWc6Km2yhoNmrAInpAak3uAU2wMkBZF7s9ex2 m/0o2Eg0F3Th0vuYLfkU/jXg7OdJWw9XufhA66oxkKfOf0/qIE/n2ugg6yeQKIvH QOpuWUr1n0JjvXt1/KYs =Lp0i -----END PGP SIGNATURE----- --w3sC3b74PUxWX2hdhiwjj2FAMQ7JKpbkc-- From owner-freebsd-security@freebsd.org Tue Jul 12 09:16:06 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF96BB92C19 for ; Tue, 12 Jul 2016 09:16:06 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5088D16DD for ; Tue, 12 Jul 2016 09:16:06 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f42.google.com with SMTP id f93so7041442lfi.2 for ; Tue, 12 Jul 2016 02:16:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=7mFkpnZ5a93UhuiXrpWQwfdsIA/0kVasU08CbrFi/4w=; b=AhfSOFQmgUjy1UyCTpGlz5LGwEXRCRmFD4WetgqAK6i0u8Rx1aMwUXsPaJ8m+voVMr AYLokiRUu8epFPzkEXCf34zKXtg7Qp0s1GCZmiRRPCz2UfHb8Yanicc0Sx6JuNbvpB5O cm7q6Lo+qxVn3OXMMji3Vp0HoWHHgJ8Wep6m3Q6Xq3mFkchMX+n51kqf3/ym1mRYcSGr bUDYagoV5soirXgin1X/cJMnFU3FmFnlu8h8vmo96L7P3gkT0Ig60UZ67By8ksg0mwWd vZjbvSbJpFxpnLCB7NHi5hev/KukgMkrXxJB7OxS+gqMWOwJRebv1OO91DUM7owGEeVw 2VYQ== X-Gm-Message-State: ALyK8tJ/pVhsiV+oQoRBij3dre9V9BzXwfM8d1uDrBozHnK3fDfhBipFnf6b92XrnOoc8Q== X-Received: by 10.25.213.198 with SMTP id m189mr464942lfg.130.1468314964409; Tue, 12 Jul 2016 02:16:04 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id o7sm5741847lfg.45.2016.07.12.02.16.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 02:16:03 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Kevin Oberman References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> Cc: Slawa Olhovchenkov , Jung-uk Kim , freebsd-security@freebsd.org, FreeBSD Current From: Andrey Chernov Message-ID: <673ea9f5-e5e5-91e0-5bd1-2119c2f7b493@freebsd.org> Date: Tue, 12 Jul 2016 12:16:02 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 09:16:06 -0000 On 12.07.2016 8:48, Kevin Oberman wrote: > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include > > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. > > In case people are not aware of it, Russian law now requires ALL > encrypted traffic must either be accessible by the FSB or that the > private keys must be available to the FSB. It is not quite so. All traffic must be available for 6 months and they express intention to ask big companies for their private keys, but later is not required by the law (not yet...) > I have always assumed that > GOST has a hidden vulnerability/backdoor that the FSB is already using, I already answer this question elsewhere in this thread with the reference. > but this makes it mandatory. Putin gave the FSB 2 weeks to implement the > law, which is clearly impossible, but I suspect that there will be a > huge effort to pick all low-hanging fruit. As a result, I suspect no one > outside of Russia will touch GOST. (Not that they do now, either.) I'd > hate to see its support required for any protocol except in Russia as > someone will be silly enough to use it. I already explain required GOST usage pattern in this thread. From owner-freebsd-security@freebsd.org Tue Jul 12 09:43:20 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 352F6B90722 for ; Tue, 12 Jul 2016 09:43:20 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f43.google.com (mail-lf0-f43.google.com [209.85.215.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D8A1F18ED for ; Tue, 12 Jul 2016 09:43:19 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f43.google.com with SMTP id f93so7750816lfi.2 for ; Tue, 12 Jul 2016 02:43:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=CBjWj+s1SjYbMyrnhQev0mYs3rwqrKXtSvZhCiMFAtQ=; b=dugq1ydD2AwNpERe7GKK3vZxVuz+uKVp8W5Slj+P0o5IqFaMKbbOONgZnxB45KPflH CWHhAPG3w7AScxXyJPogOt5N+6taCoWCnn8Tb9Ocl3YglDT9VSY47SJLCTevMCG1hC2k DgHPs7NZ3ACYY+R3qbhK2S/g/KLVZSof7aMmiOjFWETWNZTSGXJOnZnBXDYAdUOpXknn N+NDuVCequYC5OZOhxMgs+Qh0HrS33Ly+Y4nnoM8AK+rIzO0yTT1b0BIc17DJ+a4ZKSt KVSGMNn2hAgWY4QYUq6viJ6pYarZZ+Omqivfv0vvJITXcf/JzEpl253x8hbarefLdwEO 6+fw== X-Gm-Message-State: ALyK8tIX2godvbfIRpYYCAtPL2N+zq/BPPRFDEaVh/ZaMupAs6cjVz5i3NpmC7ZC/tGEaw== X-Received: by 10.25.147.14 with SMTP id v14mr491311lfd.43.1468316191211; Tue, 12 Jul 2016 02:36:31 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id h4sm4558697ljh.27.2016.07.12.02.36.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 02:36:30 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Kevin Oberman References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <673ea9f5-e5e5-91e0-5bd1-2119c2f7b493@freebsd.org> Cc: Slawa Olhovchenkov , Jung-uk Kim , freebsd-security@freebsd.org, FreeBSD Current From: Andrey Chernov Message-ID: <9ef020b8-077c-b7a7-bfa5-ddb51f85e632@freebsd.org> Date: Tue, 12 Jul 2016 12:36:29 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <673ea9f5-e5e5-91e0-5bd1-2119c2f7b493@freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 09:43:20 -0000 On 12.07.2016 12:16, Andrey Chernov wrote: > On 12.07.2016 8:48, Kevin Oberman wrote: >> >> May be need file PR for dns/bind910? >> >> >> >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile >> >> .include > >> >> >> >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && >> ${SSL_DEFAULT} == base >> >> BROKEN= OpenSSL from the base system does not support GOST, add \ >> >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and >> rebuild everything \ >> >> that needs SSL. >> >> .endif >> >> >> > >> > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC >> > don't use GOST, so I vote for removing GOST option from there. >> > >> >> I need to note that RFC exists, proposing GOST (old version) for DNSSEC: >> https://tools.ietf.org/html/rfc5933 >> but nobody really use it. >> >> In case people are not aware of it, Russian law now requires ALL >> encrypted traffic must either be accessible by the FSB or that the >> private keys must be available to the FSB. > > It is not quite so. All traffic must be available for 6 months and they > express intention to ask big companies for their private keys, but later > is not required by the law (not yet...) > >> I have always assumed that >> GOST has a hidden vulnerability/backdoor that the FSB is already using, > > I already answer this question elsewhere in this thread with the reference. > >> but this makes it mandatory. Putin gave the FSB 2 weeks to implement the >> law, which is clearly impossible, but I suspect that there will be a >> huge effort to pick all low-hanging fruit. As a result, I suspect no one >> outside of Russia will touch GOST. (Not that they do now, either.) I'd >> hate to see its support required for any protocol except in Russia as >> someone will be silly enough to use it. > > I already explain required GOST usage pattern in this thread. > Ah, I see, freebsd-current list was excluded by someone, so I repeat what I wrote: Official documents workflow here require using GOST signatures for authenticity and consistency verification, they are needed or, in some cases, required for both people and companies. Since it is official in any case, there is no harm to have FSB backdoor in the algo, unless some hacker will find it. Just don't use GOST for something else to stay on safe side. BTW, latest GOST based on elliptic curves, so from math point of view probability of having backdoor here is minimal. I don't examine its implementation. See https://ru.wikipedia.org/wiki/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_34.10-2012 You can consider GOST goals are the same as FIPS ones with the reason to have things "domestically produced". From owner-freebsd-security@freebsd.org Tue Jul 12 08:47:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3F3AB93C8B; Tue, 12 Jul 2016 08:47:47 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA96619A7; Tue, 12 Jul 2016 08:47:47 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-io0-x22f.google.com with SMTP id q83so10412046iod.1; Tue, 12 Jul 2016 01:47:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UVtyEroMJS0aCWU+5MKmTBk+gRrsy3nVidyQixqxYuM=; b=Ge1O85jBnqIu5tFgM8cKZIHva/vcFZVTzmBUa6Tyk5oeBot7bWFL85gubJKRvIOhCs trmvojfeRURumuB3LLJ3VEHd8HZk66n8RuuxGerj2ZG58q0KI3sWIaOltZg7h9ROakWE LYSUe7lUJYywfiXnA40yemO7gwOjVdkLdoGPoQhqOX0K5SO5FpABYZ0CHaegW1fyvMWT GbUr1cmeqInpCWafW+ndPMn7Wl56iMYtWNfOnl/+0BdqVipnqPkU/kPFJ73R6JyQpfn4 pmAoDS9JHPA7A74XPSsYm+nTzxNaNpWZcHsoy5/MBzhjOW8RclLbf2g9C1mu7+dwDmVo qu1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UVtyEroMJS0aCWU+5MKmTBk+gRrsy3nVidyQixqxYuM=; b=H4nhLER4cMc3FY2Sk/uozqpUlxQUu1JdbuXZUdwjMEja1ckG43v9JM/xapaWQRpP6n HsmPOmRmlIEZ1fdcCgyzYOtX6Xgig9u12uPYYhoVu9Xw96x6IjxDjouxWWSGzwVBgqIk wSI3YYscCGHdo3HSp5ccOQZAoaxkXpScgf0Zxf+3jc892X5RKE6eAOtgC0eSdeQ3Iz7R D3e+u8Dbj5aFD87fGcvfqqN0i8qx9D2s6zrhYEKOD0sgpDHr8dPstlqOSwIzU4FIAzpN ZoGhP8SlW9Yl51fVwZBIc4hvF+DtSgB8Hs0XZt/0gC2N2l0oCPvJ3g0ORwKSvbFXpnHl yoSA== X-Gm-Message-State: ALyK8tLBQTwmZK7KNoCJQtfTikp/DPyCK4+1lDihmluXj7Ob8ktUnzOPG2UV6LoSx/WowSjmYjXEU8Vl5OdTvg== X-Received: by 10.107.129.164 with SMTP id l36mr848409ioi.179.1468302481507; Mon, 11 Jul 2016 22:48:01 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.78.213 with HTTP; Mon, 11 Jul 2016 22:48:00 -0700 (PDT) In-Reply-To: References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> From: Kevin Oberman Date: Mon, 11 Jul 2016 22:48:00 -0700 X-Google-Sender-Auth: _rk6aaJOoZMec805HjRSGpf952U Message-ID: Subject: Re: GOST in OPENSSL_BASE To: Andrey Chernov Cc: Slawa Olhovchenkov , Jung-uk Kim , freebsd-security@freebsd.org, FreeBSD Current X-Mailman-Approved-At: Tue, 12 Jul 2016 11:44:57 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 08:47:48 -0000 On Mon, Jul 11, 2016 at 3:51 PM, Andrey Chernov wrote: > On 12.07.2016 1:44, Andrey Chernov wrote: > > On 11.07.2016 21:41, Slawa Olhovchenkov wrote: > >> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote: > >> > >>> On 07/10/16 10:10 AM, Andrey Chernov wrote: > >>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote: > >>>>> I am surprised lack of support GOST in openssl-base. > >>>>> Can be this enabled before 11.0 released? > >>>> > >>>> AFAIK openssl maintainers says something like they can't support this > >>>> code and it will become rotten shortly with new changes, so they drop > it. > >>> > >>> [OpenSSL-maintainer-for-the-base hat on] > >>> > >>> GOST is supported on FreeBSD 10.x and 11.x. We will not drop it on > >>> these branches unless secteam explicitly ask us to do so. However, we > >>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch. > >>> > >>> [OpenSSL-maintainer-for-the-base hat off] > >>> > >>> Jung-uk Kim > >>> > >> > >> Thanks! > >> > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. In case people are not aware of it, Russian law now requires ALL encrypted traffic must either be accessible by the FSB or that the private keys must be available to the FSB. I have always assumed that GOST has a hidden vulnerability/backdoor that the FSB is already using, but this makes it mandatory. Putin gave the FSB 2 weeks to implement the law, which is clearly impossible, but I suspect that there will be a huge effort to pick all low-hanging fruit. As a result, I suspect no one outside of Russia will touch GOST. (Not that they do now, either.) I'd hate to see its support required for any protocol except in Russia as someone will be silly enough to use it. (It's not possible because it requires the 6 month storage of all Internet data and voice communications which will require the immediate installation of massive amounts of storage, not to mention the floor space, cooling, and power to support those disks.) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 From owner-freebsd-security@freebsd.org Tue Jul 12 13:25:43 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C025B934FE for ; Tue, 12 Jul 2016 13:25:43 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as0.azsupport.com (azsupport.com [209.95.50.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "azsupport.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1A5211E47 for ; Tue, 12 Jul 2016 13:25:42 +0000 (UTC) (envelope-from az@azsupport.com) Date: Tue, 12 Jul 2016 15:25:38 +0200 From: Andrei To: freebsd-security@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <20160712152538.7a5aebb6@azsupport.com> In-Reply-To: <74eb916c-60f8-5505-3922-cc6d9de0343d@uni-ulm.de> References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> <20160711200754.5abf2ae3@azsupport.com> <74eb916c-60f8-5505-3922-cc6d9de0343d@uni-ulm.de> Organization: azsupport.com X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 13:25:43 -0000 On Tue, 12 Jul 2016 09:12:45 +0200 Sergej Schmidt wrote: > > Maybe russian GOST made with options to decrypt.. Nice backdoor > > from FSB? ;) > Many of constrains in that text excerpt apply also not only to Russia > but US, the country I live in and many other European countries too. > If you only look for stuff you want to find you wont see the rest. You > maybe should look up which cooperation your country's > citizens/businesses have to do when forced by law enforcement. > Btw, I am at least roughly aware of Russia's advances in law > enforcement. > > > > > >> Wtf is this? This is an international community and this list is > >> read across the world. There's no place for your political beliefs. > >> Especially when expressed in such manner. Please keep it to > >> yourself. > > I will write what I want. I'm live in democratic country, not in > > Russia. > This is not about freedom of speech in a democracy. Screaming your > weird opinion in an insulting way is not a unique characteristic to a > democracy, it's one for a Trump rally. This is simply the wrong place > for it, especially considering the tone. It's the > "Freebsd-Security"-list. That was my whole point. However I am happy > to see I am the only one taking this serious and others having a > productive conversation. I see you are a person not to reason with so > I will do others here a favor and stop discussing this. If not, then what? You will ask Putler to move russian army to my country for supporting russian GOST because "degradable" european "nazi/fags/arabs/jews" geeks don't want to have backdoor from Russia? Oh man.. keep away your FSB talk tricks away from FreeBSD and from the internet. We clearly understand that guys like you can work for FSB and live in USA or Europe. German police know about russian propagandist "Sergej Schmidt"? Everybody must be aware that is very suspicious that the russian GOST encryption is very aggressively trying to push anywhere on the background of traffic decrypt law in Russia. From owner-freebsd-security@freebsd.org Tue Jul 12 14:35:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C0DFB9307D for ; Tue, 12 Jul 2016 14:35:15 +0000 (UTC) (envelope-from marc@dutchsecurity.net) Received: from relay.digitics.net (relay.digitics.net [82.201.109.207]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 07FFE1D37 for ; Tue, 12 Jul 2016 14:35:14 +0000 (UTC) (envelope-from marc@dutchsecurity.net) Received: from mail1.digitics.eu (37.97.164.128) by relay.digitics.net id hgk02417v10b for ; Tue, 12 Jul 2016 16:04:56 +0200 (envelope-from ) X-Customerid: 78109d84-75e0-4765-b9a6-52939584bfd1 Received: from [10.0.0.69] (unknown [217.26.111.239]) by mail1.digitics.eu (Postfix) with ESMTPS id 2086F1C2AA9 for ; Tue, 12 Jul 2016 15:57:26 +0200 (CEST) Subject: Re: GOST in OPENSSL_BASE To: freebsd-security@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711163934.GD95302@home.opsec.eu> <20160711185409.640b2d4d@azsupport.com> <20160711200754.5abf2ae3@azsupport.com> <74eb916c-60f8-5505-3922-cc6d9de0343d@uni-ulm.de> <20160712152538.7a5aebb6@azsupport.com> From: Marc van Houtum Message-ID: <8a147a5a-300a-ced6-47d9-dd7e8b4e743c@dutchsecurity.net> Date: Tue, 12 Jul 2016 15:57:25 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160712152538.7a5aebb6@azsupport.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 14:35:15 -0000 On 12-7-2016 15:25, Andrei wrote: >> This is not about freedom of speech in a democracy. Screaming your >> weird opinion in an insulting way is not a unique characteristic to a >> democracy, it's one for a Trump rally. This is simply the wrong place >> for it, especially considering the tone. It's the >> "Freebsd-Security"-list. That was my whole point. However I am happy >> to see I am the only one taking this serious and others having a >> productive conversation. I see you are a person not to reason with so >> I will do others here a favor and stop discussing this. > If not, then what? You will ask Putler to move russian army to my country > for supporting russian GOST because "degradable" european "nazi/fags/arabs/jews" > geeks don't want to have backdoor from Russia? > > Oh man.. keep away your FSB talk tricks away from FreeBSD and from the > internet. We clearly understand that guys like you can work for FSB and > live in USA or Europe. German police know about russian propagandist > "Sergej Schmidt"? > > Everybody must be aware that is very suspicious that the russian GOST > encryption is very aggressively trying to push anywhere on the background > of traffic decrypt law in Russia. > _______________________________________________ Please refrain from going off-topic too much. There are many places on the internet where you can have discussions about politics, but the freebsd-security mailinglist is not one of them. - M From owner-freebsd-security@freebsd.org Wed Jul 13 07:45:26 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F7F5B976F8 for ; Wed, 13 Jul 2016 07:45:26 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail1.mbox.lu (mail.mbox.lu [85.93.212.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 176B612CF for ; Wed, 13 Jul 2016 07:45:25 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail1.mbox.lu (localhost [127.0.0.1]) by mail1.mbox.lu (Postfix) with ESMTPS id E24777807C for ; Wed, 13 Jul 2016 09:37:58 +0200 (CEST) Received: from mail1.mbox.lu (localhost [127.0.0.1]) by mail1.mbox.lu (Postfix) with ESMTPS id D4A6D7807D for ; Wed, 13 Jul 2016 09:37:58 +0200 (CEST) Received: from localhost (vodsl-9826.vo.lu [85.93.205.98]) by mail1.mbox.lu (Postfix) with ESMTPSA id C48967807C for ; Wed, 13 Jul 2016 09:37:58 +0200 (CEST) Date: Wed, 13 Jul 2016 09:38:59 +0200 From: Steve Clement To: freebsd-security@freebsd.org Subject: FreeBSD - a lesson in poor defaults? Message-ID: <20160713073859.GA88448@localhost.lu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline X-PGP-Fingerprint: 3F4D 8CF6 08F9 4F88 2815 2CB1 69A2 0F50 9BE4 AEE9 X-Operating-System: Darwin User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 07:45:26 -0000 --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear List, Not sure this has been shared here: https://vez.mrsk.me/freebsd-defaults.txt Some good points, others not so=E2=80=A6 Nevertheless a good read and food for thought and discussion. Sincerely, --=20 Steve Clement https://www.twitter.com/SteveClement mailto:steve@localhost.lu =2Elu: +352 20 333 55 65 --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhfATAAoJEGmiD1Cb5K7pNmAP/R0w8Zeb08Q0HgaCxvRMnAq8 bxEVwpaYeD/1QLWVXkIHnkbnGW8bZiCKkNPhcheE0B98ZY4SnilnAui12KcBKS/3 9cnvP9c/u/vpvFIcEGhgi1x2GOhLy9gbHGLwcSK7NiBFLwGX3U46pIGet0s2Kn0X czA44iyHZB/cJlwOz0KxKygZeCDsyQnT55llK5mfZziHNUpg5l/dg1DnI3qaeGr0 Cb0HWiBy6nEr+pCNxR1V0LDAJcn6rJwDyJDw/8whGoq/tVGnjG232rffvEmFcumZ edfdK2TUovefBh2bGScnxGxuGDnd0XTSB03XRoeuftvLJxFXbKn7XIj/h/5pg14h SxdxzxSFCJKg5QK6gpu+YxZ71MxzdLWJyb75d3WxCH1zOAYqtgY7ZF/CKeYgOc/O QS9hxxV2Om1QTAoUSNV50iVPYRVBFSMcT2TyzrhsXjup+San1nV+9d1jRIWbhISI FVCLPQ509BxXz9SifXjcU8WIrcPtqcAYYjK6kDVdqFLKIqdweTvdVzvmjTdGSeRJ KzcYEu6m1UEs0dszAAvUjkvEcM269GTjL1tJuPVwxvCb/gAmgKgrtZVZMhhxnVYS zU0j06qf9ez+AoAkmF6/1BvQOMtLHWQLAKINOGBgj+Tya9SlGGOLZ9qYG/pJLlwC yXwVT/kZVgtM2/2qqXWO =BxJu -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- From owner-freebsd-security@freebsd.org Wed Jul 13 08:07:46 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1CDDB93038 for ; Wed, 13 Jul 2016 08:07:46 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B87151EE7 for ; Wed, 13 Jul 2016 08:07:46 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 398262855F; Wed, 13 Jul 2016 10:07:43 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 287F828540; Wed, 13 Jul 2016 10:07:42 +0200 (CEST) Message-ID: <5785F6CD.2080108@quip.cz> Date: Wed, 13 Jul 2016 10:07:41 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: Steve Clement , freebsd-security@freebsd.org Subject: Re: FreeBSD - a lesson in poor defaults? References: <20160713073859.GA88448@localhost.lu> In-Reply-To: <20160713073859.GA88448@localhost.lu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 08:07:47 -0000 Steve Clement wrote on 07/13/2016 09:38: > Dear List, > > Not sure this has been shared here: > > https://vez.mrsk.me/freebsd-defaults.txt > > Some good points, others not so… > > Nevertheless a good read and food for thought and discussion. I read it in the past and I think some things are easily fixable on FreeBSD release side and should be fixed. Some things we modified on our installs. Miroslav Lachman From owner-freebsd-security@freebsd.org Wed Jul 13 08:45:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5C05B93B24 for ; Wed, 13 Jul 2016 08:45:48 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 930541655 for ; Wed, 13 Jul 2016 08:45:48 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1bNFno-0002B7-Af; Wed, 13 Jul 2016 11:45:56 +0300 Date: Wed, 13 Jul 2016 11:45:56 +0300 From: Slawa Olhovchenkov To: Steve Clement Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD - a lesson in poor defaults? Message-ID: <20160713084556.GJ20831@zxy.spb.ru> References: <20160713073859.GA88448@localhost.lu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20160713073859.GA88448@localhost.lu> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 08:45:48 -0000 On Wed, Jul 13, 2016 at 09:38:59AM +0200, Steve Clement wrote: > Dear List, > > Not sure this has been shared here: > > https://vez.mrsk.me/freebsd-defaults.txt > > Some good points, others not so… > > Nevertheless a good read and food for thought and discussion. Most points is just inconvenience w/o security. IMHO, yes. From owner-freebsd-security@freebsd.org Wed Jul 13 08:57:26 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46B88B972DC for ; Wed, 13 Jul 2016 08:57:26 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DBD2A1298 for ; Wed, 13 Jul 2016 08:57:25 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id u6D8vLt5058102 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Wed, 13 Jul 2016 10:57:22 +0200 (CEST) (envelope-from dan@obluda.cz) Subject: Re: FreeBSD - a lesson in poor defaults? To: freebsd-security@freebsd.org References: <20160713073859.GA88448@localhost.lu> From: Dan Lukes Message-ID: <57860275.404@obluda.cz> Date: Wed, 13 Jul 2016 10:57:25 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 MIME-Version: 1.0 In-Reply-To: <20160713073859.GA88448@localhost.lu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 08:57:26 -0000 On 13.7.2016 9:38, Steve Clement wrote: > https://vez.mrsk.me/freebsd-defaults.txt This document is based on premise I can't agree with. I will not dispute each argument in the document, but there are two main ideas. Features compiled in and features turned on by default. According features compiled in ... I'm administrator responsible for a computer configuration. If OpenSSH devs have publicly said threads are too risky and won't be added, I'm hearing their opinion and taking them seriously, but final decision shall be mine. I wish I will be allowed to decide I wish to use threads, NONE cipher and so on. In short, no features should be removed/disabled at compiled time because if "security" (assuming the "insecure" feature can be disabled by configuration). According features turned on by default ... To say true, I don't care them so much. Performance, backward compatibility and security require trade offs all the time. There are no generic answers. I assume the virgin installed system will be ready to be remotely configured (e.g. sshd running, no firewall). Particular system needs to be tuned according local environment, goal and requirements. Thus I don't care install-time defaults so much. Just $0.02 ... Dan From owner-freebsd-security@freebsd.org Wed Jul 13 09:28:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B10DB93868 for ; Wed, 13 Jul 2016 09:28:22 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6152412A5 for ; Wed, 13 Jul 2016 09:28:21 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 134A73200C; Wed, 13 Jul 2016 11:19:18 +0200 (CEST) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 048A83200E; Wed, 13 Jul 2016 11:19:18 +0200 (CEST) Received: from steves-mac-pro.office.lan (vodsl-9826.vo.lu [85.93.205.98]) by mail2.mbox.lu (Postfix) with ESMTPSA id E03F33200C; Wed, 13 Jul 2016 11:19:17 +0200 (CEST) Subject: Re: FreeBSD - a lesson in poor defaults? Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/signed; boundary="Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: Steve Clement In-Reply-To: <57860275.404@obluda.cz> Date: Wed, 13 Jul 2016 11:19:04 +0200 Cc: freebsd-security@freebsd.org Message-Id: <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> References: <20160713073859.GA88448@localhost.lu> <57860275.404@obluda.cz> To: Dan Lukes X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 09:28:22 -0000 --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 By default, IMHO, a system should resist a standard install on a public = ip address without being owned within the hour. If you need hardening, you should always check and know your system. Especially if something says =E2=80=9Csecure by default=E2=80=9D. Wonder how HardenedBSD is doing these days=E2=80=A6 = https://wiki.freebsd.org/Hardening You do want to protect your basic users from themselves to a certain = extent. The SSL mess is a mess, but libreSSL hasn=E2=80=99t been spared either. Nevertheless I am sure that the Core Security team is having regular = discussions on some defaults. If we can assume that this About blob from the FreeBSD site is it=E2=80=99= s mission statement: =E2=80=9C=E2=80=9D=E2=80=9D=E2=80=9D https://www.freebsd.org/about.html What is FreeBSD? FreeBSD is an operating system for a variety of platforms which focuses = on features, speed, and stability. It is derived from BSD, the version = of UNIX=C2=AE developed at the University of California, Berkeley. It is = developed and maintained by a large community. =E2=80=9C=E2=80=9D=E2=80=9D=E2=80=9D The rant is not that justified baring in mind the versatility of = FreeBSD. Sincerely, Steve > On 13 Jul 2016, at 10:57, Dan Lukes wrote: >=20 > Particular system needs to be tuned according local environment, goal = and requirements. Thus I don't care install-time defaults so much. --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhgeIAAoJEGmiD1Cb5K7pFMoQAJJJzwFroX/5Fzb9RlAynRFA TcGc9UEKd27lrLkriNNaBS/SSZHUKxR+krT3igEsOv9n03gEO2AwBcuOqLkRRulN QmvHwmdUB7FJi71Xu/KH56YaJhpUBgogz0HMwj3ADg9nhABeN2ePPD5BYgWU+2Mv BYJy52QQdHxJizfW/Ku4DT8/HdVgSLJJNq6Lof0NHX6sZRxIX9msGdXnCwU3z54x C2U1WTrilhz+F31wB8zxun8xvv4qjHIXzzO2I/ElISu2yyb0CU3ow7F6ztLobiMp VMhHFEhVLtEjq5tR92ZNc5JuFgnyR8d7W2oGfamKBX2uf+u4JpyOg+zLTGFpRtI3 uP/IA9uxd43Ko2VVV8k5/GDoRZX+UJ/SdtkBD86/0VZkPeLxa3V1Eh0dgcfJUYDY 6v0gEMmMSB52pD6i8fkiUQLC7558rSvggx3xug4g2Vg1REI3C5Ts1cMFoECrcidX rCmhbyIlrwAWEVvGA7VwSvBRifTLJ3Iumefy0cXP3Vam/YFI31gVXKx9O1FCRVBk kA52fs5OPYTz4FbE/44GAKqzdbYdeWBWJGLDkZo6JN8f43dWnFi0GawVVNOFjlWJ ldIGQ75Keg+lrMSfyDfGFs4qwqU4sbE6RPFQdwouQlGjtDxu1GerC7tjf4zOGyJw hBUSl1Kl3jPeLkDVYeAH =Y7j3 -----END PGP SIGNATURE----- --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70-- From owner-freebsd-security@freebsd.org Wed Jul 13 10:25:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E293B93EFB for ; Wed, 13 Jul 2016 10:25:35 +0000 (UTC) (envelope-from simon.krenz@mailbox.org) Received: from mx2.mailbox.org (mx2.mailbox.org [80.241.60.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.mailbox.org", Issuer "SwissSign Server Silver CA 2014 - G22" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 008E91ED3 for ; Wed, 13 Jul 2016 10:25:34 +0000 (UTC) (envelope-from simon.krenz@mailbox.org) Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 2014F420A0; Wed, 13 Jul 2016 12:25:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailbox.org; h= content-transfer-encoding:content-type:content-type:mime-version :subject:subject:references:in-reply-to:message-id:from:from :date:date:received; s=mail20150812; t=1468405521; bh=7X8E+Vc1Qy bzebtU9iiOzVu+fx+UIseUtc1lVP5m/AY=; b=JT+sxu/6Zuk5qlg+9zmHqnRQP1 VomMg2MObZOkC6QNp4MIO2hPlZmIO+MyLQPpj8awvqKh/yeb2fcWHZTerP7YkpuF X6UMN0qObSzEXXv71UNrZHBkwBEljlpPMB1HpPJMTriJbThGpXEFKcQFMqwJnDoh +PfLnQnOZTp5y9sMTCKJMurHfH1XA6dzdiYN1XOVayW7R7rR9eUwFcJvtVIigxB+ tiYk+zkXLKNU4m9pGtlBVCF/dlygAo0oqTnKJZgzg/kSltEJBadey7Req6OXGezI RVHi8t4ouUcqLejmUJXulqTpPZj1zdwVM1shGLXPS7zVuafuxN8JXEzb5wrg== X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id 69rSwRBJtpcM; Wed, 13 Jul 2016 12:25:21 +0200 (CEST) Date: Wed, 13 Jul 2016 12:25:21 +0200 (CEST) From: Simon Krenz To: Steve Clement Cc: freebsd-security@freebsd.org Message-ID: <429620683.344.1468405521739@office.mailbox.org> In-Reply-To: <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> References: <20160713073859.GA88448@localhost.lu> <57860275.404@obluda.cz> <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> Subject: Re: FreeBSD - a lesson in poor defaults? MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Medium X-OX-Guard-Marker: false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 10:25:35 -0000 IMHO I can agree with most of the statements written down in this text. I c= an not understand why I need ntpd or sendmail activated in default installa= tions. If I want to setup a time server or a mail server with further abili= ties I can install them later on. Most of the installations don't need such= features. I don't think that the majority of servers do need threaded AES-= CTR or NONE ciphers also. For me a installation should be a minimum set of = features and a secure one as well. For all further things I need to know wh= at I want and can install them. This has nothing to do with: >If you need hardening, you should always check and know your system. because also if you don't need hardening you should always check and know y= our system. >I assume the virgin installed system will be ready to be remotely >configured (e.g. sshd running, no firewall). This will be as well with minimum sshd configuration and firewall activated= . >If we can assume that this About blob from the FreeBSD site is it=E2=80=99= s mission statement: =E2=80=9C=E2=80=9D=E2=80=9D=E2=80=9D >https://www.free= bsd.org/about.html What is FreeBSD? FreeBSD is an operating system for a va= riety of >platforms which focuses on features, speed, and stability. It is = derived from BSD, the version of >UNIX=C2=AE deve=E2=80=A6 And thats the problem, there is no word about security in this mission stat= ement, but maybe it should be there in the actual word. Just my 2 cents From owner-freebsd-security@freebsd.org Wed Jul 13 11:29:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 69BA0B97721 for ; Wed, 13 Jul 2016 11:29:29 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0E7E41FC1 for ; Wed, 13 Jul 2016 11:29:28 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22e.google.com with SMTP id i5so64224694wmg.0 for ; Wed, 13 Jul 2016 04:29:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=zPQOvYeDijBaeGLjiCaUc4G4+eINzCutfMkjJs2kP/Q=; b=fLzRhkhibPqz4qcy2LDDwSYgWMl3eteDenfgR7CZEizKWsXIkLHyhdK66FI/VbwGQ0 7YIkCXPpuDFRpQJCrPfpbsD78xK9ziWMyURmfTQfCFo1kYO9MwBH0t1qGfNIESGQvRVa msum9rfKgXFDtNegKNHvoPzUPzN2YE+kqQDQmSnKyr+loJZSWleSx1vRcqLRWcr2XHbk NBtqGno6pB1jVFalbODd0oCHnj0kREq0oYZakgu5/LqefTQPk6lcLnrv1i35VRG3op7L RhRfWr3scilfOjehHepPrrjaJ5b+36QfRYoBYUFNFWsaLtgHsp7VnxVgr8VhmAQhGGE2 W7Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zPQOvYeDijBaeGLjiCaUc4G4+eINzCutfMkjJs2kP/Q=; b=ZcaOAGq3BsY9/lecQJLIV4azjjHTY/yeudRaqTUhQI/fpgtwXZEUnHvt+1Zz3TcPSM qY0cIqZRUMuiuckuuxojyHmk+RVwdNiy6SvU1/hlRJn5MCvr/Ng/+fctTNCzQSFRlEw4 91fjvDLeDO0VdwOxmZmTwpULWs//eSHl9pmeZiPnUHTmVD29OkTG25O6xBOxBgWD4xtT yPjNx8SR2WMab3EwUdXbaaKPUMIH/Voep1M9cIF7iek3NgA+ek+HaTjsXQKHP2zVTSJf /RGmZu0Xt3Pm779CLtQRqYVNQAiE4BFTsJwLQuxt1t/YTbxNgSX9e2uF4/6SZQMr9ZAO aQ2A== X-Gm-Message-State: ALyK8tI1OM0DhOMEROonNGwKNT29+DsipuOmNhFRVYy8VOuAdCy3ZV6H+kC+NBar73jNsg== X-Received: by 10.28.167.144 with SMTP id q138mr9688633wme.83.1468409366790; Wed, 13 Jul 2016 04:29:26 -0700 (PDT) Received: from gumby.homeunix.com ([81.171.74.106]) by smtp.gmail.com with ESMTPSA id v3sm419006wjk.46.2016.07.13.04.29.25 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 13 Jul 2016 04:29:25 -0700 (PDT) Date: Wed, 13 Jul 2016 12:29:23 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: FreeBSD - a lesson in poor defaults? Message-ID: <20160713122923.058ee43e@gumby.homeunix.com> In-Reply-To: <429620683.344.1468405521739@office.mailbox.org> References: <20160713073859.GA88448@localhost.lu> <57860275.404@obluda.cz> <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> <429620683.344.1468405521739@office.mailbox.org> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 11:29:29 -0000 On Wed, 13 Jul 2016 12:25:21 +0200 (CEST) Simon Krenz wrote: > IMHO I can agree with most of the statements written down in this > text. I can not understand why I need ntpd or sendmail activated in > default installations. ntpd isn't activated by default. From owner-freebsd-security@freebsd.org Wed Jul 13 11:46:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF0D9B97C4B for ; Wed, 13 Jul 2016 11:46:48 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 88D5D1A2A for ; Wed, 13 Jul 2016 11:46:47 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id u6DBkf7E066558 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Wed, 13 Jul 2016 13:46:45 +0200 (CEST) (envelope-from dan@obluda.cz) Subject: Re: FreeBSD - a lesson in poor defaults? To: freebsd-security References: <20160713073859.GA88448@localhost.lu> <57860275.404@obluda.cz> <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> <429620683.344.1468405521739@office.mailbox.org> <20160713122923.058ee43e@gumby.homeunix.com> From: Dan Lukes Message-ID: <57862A25.3000608@obluda.cz> Date: Wed, 13 Jul 2016 13:46:45 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 MIME-Version: 1.0 In-Reply-To: <20160713122923.058ee43e@gumby.homeunix.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 11:46:49 -0000 On 13.7.2016 13:29, RW via freebsd-security wrote: >> why I need ntpd or sendmail activated in default installations. > ntpd isn't activated by default. Also, it's somewhat imperfect to claim "sedmail activated" here. There's submission server running on localhost:25 by default only. Just to avoid confusions ... Dan