From owner-freebsd-security@freebsd.org  Mon Jul 11 22:52:04 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB112B92224
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 11 Jul 2016 22:52:04 +0000 (UTC)
 (envelope-from mailing-machine@vniz.net)
Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com
 [209.85.215.41])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 59BD419C5
 for <freebsd-security@freebsd.org>; Mon, 11 Jul 2016 22:52:03 +0000 (UTC)
 (envelope-from mailing-machine@vniz.net)
Received: by mail-lf0-f41.google.com with SMTP id q132so83834215lfe.3
 for <freebsd-security@freebsd.org>; Mon, 11 Jul 2016 15:52:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:subject:to:references:cc:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-transfer-encoding;
 bh=2A9gF/l8qajVo/cG0TsptQqoOUCLuhXgiSzdmvunXf0=;
 b=TQv4PMN1+9PGeUAyEPzOSLAZXAujP7bWX0UbX4WH/YubumQGnOkIMtQxL5L9wROs6G
 m4YwPiwOkYc/ssDECkDNY2SjHa3HWgl685Htb+BIdoLq4n6jvhSaPPWe+qPD4CUlorCi
 3D5OWEwa+XERH+dJTe9gsRONZpKv5d4xMr+5FoLgm9gh8TZB2itHkCFq9TgcxNJv5bRk
 0e2tULia+8pCDTdscICzSrb/R9HBxUM6lICv5y/jdWgopAc6x3lb03rgpEeu+lrlpcWS
 1FqUN0B/ZVWKtaBwwOitJHK1pNgumxjezhFg/sh5EIZsb1ZIz9b09n9DRkbrYcdGsYpN
 EH2Q==
X-Gm-Message-State: ALyK8tLs8KILNKAvo5vexez8koIys+kOukMsXK7/YEKaDaClWRV+MzKf2H/5Ew4BS/zIyA==
X-Received: by 10.25.216.106 with SMTP id p103mr5476928lfg.226.1468277516245; 
 Mon, 11 Jul 2016 15:51:56 -0700 (PDT)
Received: from [192.168.1.2] ([89.169.173.68])
 by smtp.gmail.com with ESMTPSA id h36sm2639412ljh.23.2016.07.11.15.51.55
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 11 Jul 2016 15:51:55 -0700 (PDT)
Subject: Re: GOST in OPENSSL_BASE
To: Slawa Olhovchenkov <slw@zxy.spb.ru>, Jung-uk Kim <jkim@FreeBSD.org>
References: <20160710133019.GD20831@zxy.spb.ru>
 <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org>
 <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org>
 <20160711184122.GP46309@zxy.spb.ru>
 <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org>
Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org
From: Andrey Chernov <ache@freebsd.org>
Message-ID: <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org>
Date: Tue, 12 Jul 2016 01:51:54 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 22:52:04 -0000

On 12.07.2016 1:44, Andrey Chernov wrote:
> On 11.07.2016 21:41, Slawa Olhovchenkov wrote:
>> On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
>>
>>> On 07/10/16 10:10 AM, Andrey Chernov wrote:
>>>> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
>>>>> I am surprised lack of support GOST in openssl-base.
>>>>> Can be this enabled before 11.0 released?
>>>>
>>>> AFAIK openssl maintainers says something like they can't support this
>>>> code and it will become rotten shortly with new changes, so they drop it.
>>>
>>> [OpenSSL-maintainer-for-the-base hat on]
>>>
>>> GOST is supported on FreeBSD 10.x and 11.x.  We will not drop it on
>>> these branches unless secteam explicitly ask us to do so.  However, we
>>> *may* drop it from 12.0 *iff* we import OpenSSL 1.1.0 branch.
>>>
>>> [OpenSSL-maintainer-for-the-base hat off]
>>>
>>> Jung-uk Kim
>>>
>>
>> Thanks!
>>
>> May be need file PR for dns/bind910?
>>
>> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile
>> .include <bsd.port.pre.mk>
>>
>> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base
>> BROKEN= OpenSSL from the base system does not support GOST, add \
>>         DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \
>>         that needs SSL.
>> .endif
>>
> 
> I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC
> don't use GOST, so I vote for removing GOST option from there.
> 

I need to note that RFC exists, proposing GOST (old version) for DNSSEC:
https://tools.ietf.org/html/rfc5933
but nobody really use it.